Preparing for a Password-Free Future in Smartsheet: Share Your Feedback!

As part of our ongoing commitment to security and authentication best practices, we are preparing to deprecate password-based login for Smartsheet accounts. Our goal is to transition to more secure authentication methods, such as email-based Time-Based One-Time Passwords (TOTP) and eventually full two-factor authentication (2FA) for non-SSO user logins.

We know this is a significant change, and we want to ensure a smooth transition for all our customers. That’s why we’re restarting our customer communication and gathering feedback on various scenarios where password deprecation may introduce challenges.

Here are a few key customer challenges we’re addressing:

Service Accounts: Many customers currently use service accounts authenticated via email/password for API integrations. As a security best practice for API authentication, we propose that relevant customers authenticate API via user access tokens. In the future, we plan to introduce dedicated service accounts. For help please refer to this community post.
Business Plan OTP Restrictions: Some customers use shared laptops or share Smartsheet accounts at events. To maintain your access while ensuring ample security protections, we recommend leveraging external collaboration features instead of sharing the same Smartsheet account. When assets are shared with these external users, they will create individual Smartsheet accounts enabling them to access the shared assets as external collaborators.
Accounts Without Associated Mailboxes: If your organization has Smartsheet accounts registered to emails without mailboxes, our recommendation is to update those emails to active mailbox accounts or use alternative authentication methods.

We understand that every organization has unique workflows, and we want to hear from you! Please share your thoughts, concerns, and any additional scenarios we should consider in the comments below. Your feedback will help us refine our approach and ensure we provide the best possible transition strategy.

Our rough target timeline for password deprecation is early H2 2025. Now is the time to engage, so let us know what you think!

👉 Join the conversation and let us know how this change impacts you!

Find more posts tagged with

Security

MFA

2FA

Authentication

Comments

eliweitz

This sounds good!

My only ask is that you iron out the service account solution BEFORE removing standard authentication, as it would potentially break solutions that still require it but cannot use access tokens (for example: Microsoft Power BI integrations).

As well, would love the ability to utilize a separate code-generating application, like Duo or Microsoft Authenticator rather than using Email OTPs across the board.

Scott Peters

@Pawan Shukla - Can you please describe how this would work for new users signing up for a Smartsheet Account? In that moment, the user is not part of an organization's SSO (yet). Would they only have the option to use TOTP, and never set a password?

Samuel Mueller

If an email account is compromised, doesn't this ensure that the Smartsheet account is also compromised? What are your recommendations for this?

For API Keys. Can you implement a process to transfer API Keys when you deactivate a user? User Based API accounts prevents continuity of business processes with turnover. Or can you elaborate on best practices around business process continuity in these situations?

Katlyn Gossett

If it is anything similar to not being able to sign in with your email and password, then I say no go. Being forced to go to my group email address to find the code is causing delays in my workflow.

Pawan Shukla

https://community.smartsheet.com/discussion/comment/476680#Comment_476680

Hi @eliweitz ,

Thanks for your response! We recommend using OAuth-based connections for external apps instead of password-based connections. Power BI can securely connect to Smartsheet via OAuth. Here’s the guide on how to set that up https://learn.microsoft.com/en-us/power-bi/connect-data/service-connect-to-smartsheet.

Additionally, we’re planning to introduce a second factor of authentication for non-SSO users. We're still exploring options like authenticator apps or push notifications via the Smartsheet app. This second factor will be configurable by system admins for their Smartsheet instance.

Let me know if you have any questions!

Pawan Shukla

https://community.smartsheet.com/discussion/comment/476755#Comment_476755

Hi @Scott Peters

Once password-based login is deprecated, new users won’t create a password during sign-up

If domain level SSO is enabled for their email domain, they’ll use that SSO from their first login.
If not, they’ll log in using email-based OTP to complete their first login. In case of plan-level SSO, they will use plan level SSO once they are added to plan by plan's system admin.

Pawan Shukla

https://community.smartsheet.com/discussion/comment/477132#Comment_477132

Hi @Samuel Mueller ,

We recommend SSO as the preferred login method for maximum security and ease of use. Email-based OTP is intended as a backup option—the least preferred—but necessary for users without SSO access.

That said, if a user’s email is compromised, it presents a much larger risk beyond Smartsheet, potentially exposing access to multiple platforms and sensitive data. Email security is outside Smartsheet’s control and depends on the user and their email provider.

It’s also important to know that many leading SaaS platforms, including Salesforce, use email-based codes for authentication—making it a widely accepted industry standard. Email-based OTP provides a good balance of security and accessibility when other login methods aren’t available.

We’re also continuing to explore stronger authentication options for non-SSO users to further enhance security.

Pawan Shukla

https://community.smartsheet.com/discussion/comment/477437#Comment_477437

Thanks @Katlyn Gossett , you mentioned workflow. Can you pls share the use case you are referring to with workflow?

Scott Peters

@Pawan Shukla - Can you describe how this will work for WorkApps? Per screenshot below, A WorkApp published link does not prompt the user for SSO credentials or Email-based OTP

Sarah Keortge

Service Accounts are my biggest concern. We use them to power Control Center, Bridge, and all other premium SS apps, as well as for integrations with tools like MS Power Automate, Power BI. These accounts are meant to run applications without interruption (reauthentication).

Pawan Shukla

https://community.smartsheet.com/discussion/comment/477728#Comment_477728

@Scott Peters

The screen you shared is the welcome screen shown to every user on their first login. At this stage, Smartsheet doesn’t know the user’s email address. Once the user enters their email, Smartsheet checks the allowed login methods for that user and displays them on the next screen.

For example:

If the user’s organization enforces strict SAML, they are redirected directly to their company’s SAML login.
If the user is allowed to log in via Email-based OTP or Google SSO, those options are displayed.

For returning users (from their second login onwards), Smartsheet remembers the allowed login method from cookies and shows it on the first screen itself. Hope this answers your question. Let me know if you have any more question.

Pawan Shukla

https://community.smartsheet.com/discussion/comment/477880#Comment_477880

Hi @Sarah Keortge ,

Using email/password for authentication in API-driven integrations poses a high risk to data security. We strongly recommend switching to token-based authentication to better protect your data and reduce the risk of security incidents.

Please ask your developers to update all such integrations to use tokens instead and secure your integrations. Smartsheet provides a standard and secure process for generating tokens, which can easily be used in your integrations. Detailed guidance is available in our help documentation. We want our customers to use all available tools to secure their data.

Vuckecucke

@Pawan Shukla What does this means for FORM users (free account), same domain as licensed account ?

Samuel Mueller

Will System Admin Fallback default to email OTP as well?

Pawan Shukla

https://community.smartsheet.com/discussion/comment/478168#Comment_478168

@Vuckecucke free account users will log in to Smartsheet using email-based OTP

Sign in to join the conversation!

Quick Links

Trending discussions

Enhancing guest passkey security in Brandfolder
September, 19, 2025 At Brandfolder, protecting your assets is our top priority. We’re excited to announce significant upgrades to our guest passkey feature, providing you with more security and control over how guests access your protected Brandfolders and Collections. What’s Changing? This release introduces a more secure…
Smartsheet Link Previews now available in MS Teams!
September, 19, 2025 Smartsheet URLs just got smarter in MS Teams—users will now see instant link previews that provide visual context at a glance, making collaboration faster, clearer, and more connected than ever. Try it out now with Smartsheet links in Microsoft Teams! Environment Availability: All Plan Availability: All…
Custom error messages for column links
September 17, 2025 You can now define a custom error message per mapped column in the case where column links do not return a record match (instead of the default #NO MATCH). Learn More Environments availability: (options available to list, separate with comma, Commercial US, Environments availability: Commercial US,…