Email-based TOTP login method, now generally available!

12346

Answers

  • BigAl
    BigAl ✭✭✭✭

    I am following all of these discussiosn and I am thankful for all the questions and answers in this post.

    Following on some of the discussions I would like to ask the following:

    So far internally we force our users to login with "Microsoft" button and SSO, however there is no possibilty to technically only allow this option.

    Reason is that we also have many external users, which we do not have in our AD/Azure and therefore we need also the User / Password option.

    Four questions:

    1. Is there any chance to seperate internal (e.g. with domains) and external users, so that ONLY external users get the information regarding OTP. All of our internal users will be confused as they are not allowed to user user/password any longer when they would get a centrally sent mail.
    2. If I understand correctly as having Enterprise plan there will be the option to NOT use OTP. Is there a link to the user / password topic and if yes: How?
    3. Regarding OTP: Would it not make sense / is it technically possible to change the OTP that it is not necessary with every login (after 19hours) but for example not to ask for a login with user / password for e.g. 60 days as it is done by Microsoft M365. One request for every loging and then wait for an email login will really cause big discussions in our company.
    4. When will there be a finalized timeline regarding this topic including future possible improvements.

    Thanks for your help.

    Alex

  • So, since the ability to control this is for Enterprise level customers only, should I understand that SmartSheet does not value its smaller customers? Are you trying to usher us out the door ? I predict that this change will be disastrous for user engagement at my small organization. I had hoped to use SSO as a work around, but wait - that's also only for Enterprise-level customers. I've been a SmartSheet customer since 2014 and am very disappointed. There should not be a "tax" to control security on the application.

  • Joanna C.
    Joanna C. ✭✭✭

    My organization does not want TOTP enabled at all. Is there a way to disable TOTP prior to Smartsheet's May 30, 2024 release? If not, will we be able to disable it once it does launch?

  • Susan D
    Susan D ✭✭✭

    I am having issues with a new user and the sso for Microsoft. Is anyone else having issues with sso yet? I know this process of OTP is going out in phases and different time frames.

    Also, can someone comment the iterations of the roll out and the new time frame?

  • Susan D
    Susan D ✭✭✭

    For OTP- how are you planning for your group accounts and interfaces that may have users ids and passwords embedded in them

  • Hi @Joanna C. - Email TOTP cannot be disabled before the release. However, Enterprise plan SysAdmins can disable it once it launches via the Admin Center. Please refer to this help article for instructions.

  • Hi @Susan D - Please submit a support ticket if you're still having issues with Microsoft SSO.

    Regarding the timeline, the new email TOTP login method will be released by the end of May. We will eventually deprecate the password-based login method later this year (timing yet to be determined). However, ample advance notice will be given before this change.

  • Samuel Mueller
    Samuel Mueller Overachievers

    @Lekshmi Unnithan we currently have password login disabled, and area strictly SSO. Are you saying that when TOTP gets added, it will automatically be enabled, until it's turned off?

  • @Samuel Mueller - SSO strict Enterprise customers already have the password-based login method disabled, so when email TOTP launches, it will also be disabled for those accounts. Please refer to this help article for more details

  • Samuel Mueller
    Samuel Mueller Overachievers

    @Lekshmi Unnithan thank you so much for the quick clarification.

  • Jacob A
    Jacob A ✭✭✭✭✭

    Would this affect the desktop app or just the web browser login?

    Best regards,

    Jacob A. PMP, AgileXP, CSM

    Please kindly upvote if my contributions have provided you some value or answer. Thank you

  • @jacob.alabi This will impact Desktop app as well

  • Hi @BigAl

    1. Question: When you mention external users, do you mean users in your Smartsheet plan but not in your AD/Azure? Is that correct?
    2. If you have an Enterprise plan, you can disable the OTP login method. Can you clarify which user/password topic you are referring to?
    3. The OTP login will function similarly to current login methods, i.e., it will be required upon user session expiry or logout. We are treating it as another login method rather than a two-factor authentication mechanism.
    4. We aim to implement the new OTP login method by the end of May 2024. The timeline for password deprecation is not yet finalized, but we will inform our customers and provide advance notice once it is determined.

  • BigAl
    BigAl ✭✭✭✭

    Hi @Pawan Shukla,

    thanks for jumping in.

    1. Yes, they are not in our AD/Azure, but go access via share—>email adress. Most of the times they are not Smartsheet users itself. —> Any chance to differentiate here e.g. via domains or something similiar.
    2. I would like to disable the user/password option for all internal users (which are in our AD/Azure) but need it for the external users. Therefore my question is, if this is somehow linked to the option I am asking for in point 1)
    3. I thought you are introducing this method to make Smartsheet safer and not to introduce another login method? If is is to make Smartsheet safer a 2-Factor authentication mechanism makes a lot of sense but should be also user friendly. Therefore I am asking if it is not a good option to bring this up every 60 days and not for every login.
    4. Really very hard to get any precise information about timelines and dependencies. Many customer will need to inform their users in addition to you planned automatic email. We need enough time in advance and a much better understanding on the dependencies. Hope this will be sorted out soon.

    Thanks Alex

  • Lekshmi Unnithan
    Lekshmi Unnithan Employee
    Answer ✓

    Update [June 6, 2024]:

    Hello Smartsheet Community,

    We were preparing to release the email TOTP feature this afternoon, however, we discovered a bug that impacted users logging into Smartsheet via their personal account and corporate credentials on the same browser. Therefore, we have decided to delay the launch of the email TOTP login method until we can resolve this issue. We thank you for your continued patience as we strive to deliver this new login experience.

    Best regards,

    The Smartsheet Product Team