Multifactor authentication using DUO, how do we allow external users

I am not part of my organization's infrastructure group, so I don't have all of the information about this, but I want to ask the community's advice about this.

We need to turn on SSO, and my engineer tells me that everyone who needs to access our objects will need to use SSO and that means that they need to be in our DUO tenant. Is that correct? Is there not an option to force external users to 2FA using their email address?

Best Answer

  • Genevieve P.
    Genevieve P. Employee
    Answer ✓

    Hi @James Keuning

    When users log into Smartsheet they are authenticated via whatever method their plan dictates/allows. What plan they are on is based first on email address (i.e., does this person exist on a plan), then email domain (if the domain is setup for user-auto-provisioning via our Enterprise/Premier plan). 

    This means that external users are not logging into your environment but are logging into the Smartsheet platform. Then once inside they are able to access any assets (Sheets, Reports, Dashboards) that are explicitly shared to them. 

    For example, when I login, some sheets could be from my sister's Design company in her Business plan, some could be from my own company on an Enterprise plan, and others could be from people on other plans... family, friends, etc. 

    See: Manage Authentication Options for an Enterprise Plan (System Admin)


    This means you cannot enforce how people outside your plan authenticate into the Smartsheet platform, as those people may have a plan of their own that is already dictating that. 

    If your security requirements are strict and you require 2FA for anyone accessing your content, and if you are on Enterprise/Premier, you can block people within your plan from sharing Sheets to external domains. This would technically mean that you could enforce how people login to view content within your plan. See: Set up an approved domain sharing list

    However keep in mind that this is still only dictating the login method for users within your plans/domains, as people outside your domain wouldn’t have access to your content at all. 

    You could potentially block domains until you have vetted with that external party that they are also logging into SMAR via 2FA (that external party would also need to be in an Enterprise plan or above).

    I hope this helps!

    Genevieve

    Need more help? 👀 | Help and Learning Center

    こんにちは (Konnichiwa), Hallo, Hola, Bonjour, Olá, Ciao! 👋 | Global Discussions

Answers

  • Genevieve P.
    Genevieve P. Employee
    Answer ✓

    Hi @James Keuning

    When users log into Smartsheet they are authenticated via whatever method their plan dictates/allows. What plan they are on is based first on email address (i.e., does this person exist on a plan), then email domain (if the domain is setup for user-auto-provisioning via our Enterprise/Premier plan). 

    This means that external users are not logging into your environment but are logging into the Smartsheet platform. Then once inside they are able to access any assets (Sheets, Reports, Dashboards) that are explicitly shared to them. 

    For example, when I login, some sheets could be from my sister's Design company in her Business plan, some could be from my own company on an Enterprise plan, and others could be from people on other plans... family, friends, etc. 

    See: Manage Authentication Options for an Enterprise Plan (System Admin)


    This means you cannot enforce how people outside your plan authenticate into the Smartsheet platform, as those people may have a plan of their own that is already dictating that. 

    If your security requirements are strict and you require 2FA for anyone accessing your content, and if you are on Enterprise/Premier, you can block people within your plan from sharing Sheets to external domains. This would technically mean that you could enforce how people login to view content within your plan. See: Set up an approved domain sharing list

    However keep in mind that this is still only dictating the login method for users within your plans/domains, as people outside your domain wouldn’t have access to your content at all. 

    You could potentially block domains until you have vetted with that external party that they are also logging into SMAR via 2FA (that external party would also need to be in an Enterprise plan or above).

    I hope this helps!

    Genevieve

    Need more help? 👀 | Help and Learning Center

    こんにちは (Konnichiwa), Hallo, Hola, Bonjour, Olá, Ciao! 👋 | Global Discussions

  • James Keuning
    James Keuning ✭✭✭✭✭

    That makes total sense! Thank you!

  • Rsteer
    Rsteer ✭✭

    @James Keuning , @Genevieve P. -- Actually, Genevieve's answer DOESN'T "make total sense", but it's an easy excuse for not having robust security options. Whether an external user is logging into your "environment" (versus Smartsheet's environment), as she tries to distinguish, is largely irrelevant to security; access to DATA is the key thing that you're trying to secure. If the data is sensitive, it should not be accessible via just a password. If the external user has ALREADY validated into their company's account (assuming they have one) using a method equal to or stronger than the method you want to enforce, then maybe giving them a pass makes sense. But data owners should be able to establish a MINIMUM authentication strength for someone to access their data. The best data-sharing platforms (like Box.com) already do that.

  • Agree with Rsteer - it is not acceptable that 2FA is only "allowed" for enterprise plans... anyone who is familiar with current security issues would know that SME's are far more targeted and hacked than F500 companies... it is not Smart not to have 2FA enabled for all types of plans.