Email-based TOTP login method, now generally available!
Answers
-
Will this have any impact on the System Admin Fallback authentication method?
-
@Samuel Mueller Thanks for the feedback. I can do this, but I am hoping that Smartsheet will exclude SSO users from the email in the first place as its likely that many will ignore this communication as it does not affect them directly.
-
@Lekshmi Unnithan Similar to what @Chris McLaughlin mentioned, we also use "Sign in with Google", which allows all of our users to take advantage of all of the security features we have enabled with Google.
Will the "Sign in with Google" option no longer be available ?
-
-
My organization uses SSO but we have our SmartsheetAdmin account. Disabling password authentication would be an absolute disaster for our organizations ability to function as we use this account frequently for other integrations (Homegrown similar to Zapier/ZenDesk)
Will this create issues for the admin fallback account?
-
What about accounts that are used solely for API's? How would those be affected by this change?
-
How is this going to affect the Live Data Connector? Right now my code passes in the Uid and Pwd in the ODBC connection string.
-
Similar to prior questions that haven't been answered, how long will a TOTP login last?
Will I be ok for the day like I am today, or every time I close Smartsheet and relaunch will I need to log in again via email password?
-
Hello @Lekshmi Unnithan,
The "Be aware of upcoming changes to your Smartsheet login options" announcement contained:
"We're committed to transparent communication. Starting mid-March, we'll notify all end-users via email and in-app bulletins about these upcoming changes."
Please define "end-users" hence who will receive these communiques. Our company has a business license and many internal/external folks who are not licensed users (viewers, collaborators, etc). Will they all receive the email communications regarding the TOTP change or only a subset of them. If a subset who exactly does it include?
Regards,
Mike Babinec
-
time for a condensed clarification here I guess.
Very good and yet unanswered questions:
- What happens to the admin fallback login, when you disable email based login?
- Why not support FIDO/U2F?
- What happens to accounts used for API connections, when you disable email based login?
A few answers to questions asked here from the help article linked in the post by Lekshmi:
- TOTP is valid for 10 minutes
- SSO configurations will not be affected
- I have already seen some TOTP style authentication processes. Usually works good, but I already had cases when the email took minutes to arrive (congestion?).
Greetings
Stefan
Smartsheet Consulting, Solution Building, Training and Support.
Projects for Processes and for People.
-
can you post screen shots and/or documentation that the users will see for us?
-
@Lekshmi Unnithan will the Smartsheet team be following up on the concerns raised in the comments on this post?
Smartsheet is correct that brute force attacks, phishing, and password theft are real issues, however, it seems we've reached the wrong resulting conclusion.
Deprecating entirely the password-based architecture in favor of email-only TOTP is the wrong solution. We should be adding true modern MFA with app-based authentication *in addition to* password sign-in.
-
Hi Simon - If the plan has disabled email and password based login, then email-based TOTP will not be automatically enabled for its users when the feature is released. To avoid confusion, we will exclude such users from receiving further communications about email-based TOTP. SysAdmins of these plans still have the option to enable email TOTP at a later time. In such cases, the SysAdmin will be responsible for alerting end users about the new email TOTP option.
-
Hi Chris - The option to sign in with Google will not be removed. Any existing “Sign in with Google/Azure/Apple” authentication flows will not be changed. Email-based TOTP will be an additional login option when it releases.
-
Hi Sharif - The option to sign in with Google will not be removed. Any existing “Sign in with Google/Azure/Apple” authentication flows will not be changed. Email-based TOTP will be an additional login option when it releases.
Categories
- All Categories
- 14 Welcome to the Community
- Customer Resources
- 64.8K Get Help
- 434 Global Discussions
- 138 Industry Talk
- 470 Announcements
- 4.9K Ideas & Feature Requests
- 129 Brandfolder
- 148 Just for fun
- 65 Community Job Board
- 486 Show & Tell
- 33 Member Spotlight
- 2 SmartStories
- 300 Events
- 36 Webinars
- 7.3K Forum Archives
