Be aware of upcoming changes to your Smartsheet login options
Answers
-
Thanks for your response and your technical teams' efforts on this question. To clarify, we use the OdbcConnection class in the .NET System.Data.Odbc namespace to connect through Smartsheet's Live Data Connector driver using an ODBC connection string that contains the email/password login for our automation account. We pass SQL queries through that connection. If you need further detail, please let me know.
-
@Lekshmi Unnithan, I believe it just uses my login credentials to update probably 100s of times a day from Zendesk ticket updates into smartsheet.
-
I appreciate you providing responses to all users on this post and I completely understand the need to adapt and provide more secure authentication methods for your customers.
Another big concern is what this does to the user experience. I don't want to speak for all of your customers but I assume most will have some type of spam filter, and then of course outlook and its own delays in delivering an email. What will this do to the user experience? Has the dev team tested this within different environments? How long should I tell my users to wait for the code before giving up and requesting another. I anticipate most of my users will not appreciate the additional wait time to simply log into their account and start their day. I saw in another post you had mentioned 19 hours is the time out period. Is it reasonable to suspect that if my user logs in at 8am, inputs the code, and goes about there day they will be prompted for the code the next day as well? Does that require them to keep the smartsheet browser up all day? What if they close out the browser and open it again in the afternoon, will they still need the email code?
Is there any pilot program where System Admins can test this out in our own environments to get a better idea of what we need to prepare our users for? Or will be in the dark until the change is implemented and find out along with out users?
Thank you,
Terry
-
@Lekshmi Unnithan - Thank you for all of your kind responses to our negative feedback. I'd hate to have to do it, and I really appreciate your kindness. Please hear this question as a true question - I'm not trying to be argumentative or even rude. I really am wondering about something you wrote in the response to TJohnson above. "Our goal is not to disrupt but to enhance and secure the way..." I think you are hearing from our responses that this definitely feels like a disruption to workflow. I understand SmartSheet is seeking more security, but how does this enhance? For real - I am asking how the way I work with SmartSheet is being enhanced by this change? It FEELS like we are getting more disruption in workflow for tightened security, but I don't understand what is being enhanced. I think this is why so many are suggesting simpler, quicker authentication through apps. I can appreciate my information (and your system) being more secure. I would guess MANY of us who use SmartSheet are also web based in other tools and software, so these concepts of security are not new. But - moving to an email based authentication feels like a big step backward, especially compared to other experiences with online based systems.
-
Will the TOTP be the method used for free accounts by June as well?
-
Our organization works extensively with external collaborates. One of the biggest risks we face is when we grant access to an employee of another organization and we are not informed when they leave. Without email-based one-time passcode authentication (tied to their corporate email domain), an external employee at another org could use their corp email address and password to access information in a Sheet / Workspace. Connecting the one-time passcode (OTPC) to email allows us to rely on that entity removing access to their email address as a control. As terrible as OTPC is, it is the simplest method we can conceive of to minimize this risk and add some additional authentication method.
The functionality recently released for external collaborator SSO / MFA authentication is not practical to rollout without extensive documentation and dialogue with the IT Departments at external organizations. We've tired - it doesn't work. It's a never ending loop of failing authentication that continuously takes users back to the main auth page of SmartSheet - https://www.smartsheet.com/content-center/secure-external-collaboration-new-require-corporate-account-and-require-multi-factor
For what it's worth, we greatly appreciate this soon to come OTPC option. Amongst all the haters, than you for implementing this.
-
The email talking about this upgrade mentioned that Enterprise plans could disable TOTP. We have a Business plan and it also needs to be able to disable this. We have multiple laptops deployed for vendor's use for sales events that have auto logins and has no access to email. Having TOTP would make our smartsheet solution no longer viable and I do not want to upgrade to Enterprise.
-
The Upcoming Changes notification received March 11 indicated that all users will be notified mid-March.
Can anyone confirm this has been sent? I have checked with several of my general users and there has been nothing received.
If this hasn't been sent can an updated communication timeline be provided by the Smartsheet team?
Thank you
-
I watch how our employees use the Smartsheet. While I’m ALWAYS logged into Smartsheet all day every day, they are not. They log in when they need to check something, then they close out their browser tab. If I understand the messages I’ve received correctly, the login process will soon require them to enter their email and password, wait for an email to show up in their inbox, then enter a number on the browser to complete their login. This will complicate and slow down their access at least threefold (that’s if the internet is working efficiently that day) and greatly discourage people from checking in regularly to their Smartsheets. Furthermore, this may not be so bad for people working in front of a desktop with multiple screens, but it will be even harder for our field personnel, working on a laptop or iPad. Even further complicating it is when we invite people outside our organization to participate in processes on our Smartsheets.
I am dreading the day when you roll this out. It’s hard enough getting people to change their behavior and adopt all the new Smartsheet systems I’ve built, but now we’re being forced into his higher level of security that we just don’t need for our organization. We do not have an enterprise account, so we will not be allowed to opt out of this level of security. It just doesn’t make sense to me. Enterprise level companies are the ones who probably want this level of security. Us smaller companies don’t need it, yet we’re the ones who have no choice. Please, please reconsider how you’re configuring this new feature. Let us all opt in or opt out as needed. Limiting the opt out to enterprise only is terribly frustrating for us.
-
My company has the Business plan and as I understand it, we will not be able to opt out of email-based TOTP, and at some point, the traditional user/password login method will be disabled, correct?
When will the security change take effect and is there a way individual users can test the process before the deadline? Thanks.
-
@Lekshmi Unnithan - The email talking about this upgrade mentioned that Enterprise plans could disable TOTP. We have a Business plan and it also needs to be able to disable this. We have multiple laptops deployed for vendor's use for sales events that have auto logins and has no access to email. Having TOTP would make our Smartsheet solution no longer viable and I do not want to upgrade to Enterprise. What options do I have?
-
I'm glad OTP is being offered. It's one less password that we have to remember and many of our other services/platforms are switching to this method anyway. Most of our users prefer this method of login because it's more secure.
I don't see it yet as an option to enable OTP (I'm the sys admin), even after following the directions on another help page. When will it be enabled officially so I can notify my users and screenshot what it will look like for them?
-
Hi @Dan Britton - the Live Data Connector can use access tokens instead of email/password in ODBC connection string. Let me know if that answers your question.
-
Hi @TJohnson - We are requesting customers to add the "notification@system.smartsheet.com" domain to their company's email service provider allowlists so that OTP emails don't get marked as spam.
Additionally, we recommend waiting for 5-10 minutes for the code in case of email traffic delays. Each code is valid for 10 minutes.
Example scenario #1: If the user logs in to Smartsheet and takes their only action at 8am, the session is valid till 3am the following day (19 hours). However, if the user uses Smartsheet again before the 19 hours are up (before 3am the next day), then they will not need to login to Smartsheet for another 19 hours. Let me know if that makes sense.
Example scenario #2: If the user logs in to Smartsheet and takes their only action at 8am, the session is valid till 3am the following day (19 hours). So, if they close the browser with Smartsheet around 3pm the same day, but open Smartsheet again before 3am the following day, they will not need to log in again.
Regarding testing email OTP out, we're releasing this feature soon. When this becomes available, rest assured that users will still have the traditional password-based login method available to them, and you can test the email OTP feature in your own environment. Eventually, we'll deprecate the password-based login method, but we'll provide an ample advanced notice period and communications when we decide to do so.
-
Hi @BYoung - For customers without access to 3rd party authenticator apps, email OTP provides a more secure, native 2FA experience since all the user needs is access to their email. That said, I want to share that email OTP and eventually phasing out passwords is only our first step in enhancing our authentication security — we are actively exploring additional MFA options for the future.
