Account & Settings

umair
Contributor

disable 2fa for sso login

We have enabled SSO for some users in our Portal. But now when they use SSO to login, they have to do our SSO 2FA and then the 2FA from HubSpot. 

 

Is there any way we can disable 2FA for users logging in using SSO?

14 Replies 14
MLang1
Participant

disable 2fa for sso login

Our company is running into similar issues. Our users are being kicked out at shorter and shorter intervals and being asked to log back in using HubSpot's 2FA. This is causing disruption in our workflow and diminishing the satisfaction of the product.

0 Upvotes
vanessahunt
Top Contributor | Platinum Partner
Top Contributor | Platinum Partner

disable 2fa for sso login

I'm in the same situtation with a client. We've enabled SSO and disabled 2FA, but it keeps switching itself back on...

 

We need more admin control here, to be able to manage when we would like to disable 2FA for users who are using SSO. Please can you chip in HubSpot, if there is any workaround? I've also raised a Support Ticket about this.

BérangèreL
Community Manager
Community Manager

disable 2fa for sso login

Hi @vanessahunt and all,

I understand this can be frustrating and I have shared your feedback with our Team.

Just to clarify, the 2FA requirement does not prevent the account from enforcing SSO.

If the account has SSO required, the users will only be able to login with SSO so there is no conflict with the 2FA requirement.

Here is the article about this "Can I turn on two-factor authentication, required two-factor authentication, SSO, and required SSO a..."

2FA will only apply to SSO exempted users who choose not to login with SSO.

Also, since you currently have a ticket open with our technical support team. It looks like the team is currently investigating this.

I would invite you to continue working with them as this may require deep troubleshooting and direct access to your account.

I hope this clarifies the situation!

Have a good day and a lovely weekend!
Bérangère


Saviez-vous que la Communauté est disponible en Français ?
Rejoignez les discussions francophones en changeant votre langue dans les paramètres !

Did you know that the Community is available in other languages?
Join regional conversations by changing your language settings!


vanessahunt
Top Contributor | Platinum Partner
Top Contributor | Platinum Partner

disable 2fa for sso login

Bonjour Bérangère ! 

 

Thank you for this explanation. I think (hopefully) that it is working then as we would like - perhaps the labels just need more clarification in HubSpot to explain this.

 

I see in the article that it refers to Google authentication. Are you able to confirm that this also applies when using Azure for SSO?

 

Thanks - I shall work with the Case team to hopefully confirm it's all fine!

 

Merci beaucoup,

Vanessa

0 Upvotes
BérangèreL
Community Manager
Community Manager

disable 2fa for sso login

Bonjour @vanessahunt 🙂 

Actually, I can see that this article "Set up single sign-on (SSO)" has been updated. So, if you’re required to log into your account with SSO, you can only log in with SSO. If you’re on a new device, you must also provide a code that will be emailed to you or use 2FA if enabled. Then you click "Remember me" on your device to only be challenged for 2FA once every six months.

So, you only have to use 2FA if you are on a new device or after 6 months. This has been put in place for security reasons.

I can see in the article that Azure is also mentionned, so it should also apply to Azure, yes.

If you are seeing something different, please let me know so that I can investigate further for you.

Thanks,
Bérangère


Saviez-vous que la Communauté est disponible en Français ?
Rejoignez les discussions francophones en changeant votre langue dans les paramètres !

Did you know that the Community is available in other languages?
Join regional conversations by changing your language settings!


0 Upvotes
vanessahunt
Top Contributor | Platinum Partner
Top Contributor | Platinum Partner

disable 2fa for sso login

Salut Bérangère,

 

Yes, I'm seeing different behaviour. I've logged in previously from the same device, and am still being requested for 2FA each time. I've logged a ticket with support and sent them a video of the different behaviour I'm seeing. 

 

Please let me know if you'd like to connect directly to test. My email is vanessa@vanessahunt.co.uk - thanks!

 

I logged my ticket through my client's portal, since it's specifically for them that I am trying to resolve this right now. 

 

Best wishes and thanks in advance,

Vanessa

0 Upvotes
BérangèreL
Community Manager
Community Manager

disable 2fa for sso login

Hi @vanessahunt and @TWallen,

Thank you very much for sharing your experiences and for your much appreciated feedback.

I would like to apologize for the frustration this has caused.

I can see that you currently have a ticket open with our technical support team. It looks like the team is currently investigating this.

I would invite you to continue working with them as this may require deep troubleshooting and direct access to your account.

Also, the Support Team is your best point of contact for this since it is included in your subscription.

Thank you,
Bérangère


Saviez-vous que la Communauté est disponible en Français ?
Rejoignez les discussions francophones en changeant votre langue dans les paramètres !

Did you know that the Community is available in other languages?
Join regional conversations by changing your language settings!


0 Upvotes
TWallen
Contributor

disable 2fa for sso login

Hi @vanessahunt and @BérangèreL. Chiming in here because my organization is experiencing the same frustrations/limitations as Vanessa.

We require SSO log-in for all users (also using Azure). However, users are getting prompted for 2FA through HubSpot after they've completed their SSO log-in. It creates a clunky user experience, especially if Azure just required 2FA.

 

HubSpot chat support has clarified 2FA is a requirement for all Enterprise accounts. The requirement for 2FA started late 2022. 

To retierate the sentiment, it really limits what we can do as admins to control the log-in behaviors. 

Ideally, there would be a setting to disregard HubSpot's 2FA if the user is being required to log in via SSO. 

JReid39
Member

disable 2fa for sso login

FWIW - I really don't understand this direction from Hubspot.  Like other folks on this thread (and I imagine many more) we choose to use Google SSO w/ 2FA as it is secure and consistent for users across a variety of applications.  

AFAICT, having an additional Hubspot 2FA prompt on top of the Google SSO 2FA does not provide any additional security (unless for some reason the 2FA device is different across those two which strikes me as exceedingly rare).  So this just becomes an extra step with no value add.

Just today I had to bother an admin on the weekend to remove 2FA from my Hubspot account so that I could log in.  I don't recall ever setting up 2FA explicitly for Hubspot and couldn't get past the Hubspot 2FA prompt after logging in with Google SSO.  This was a super frustrating experience.

0 Upvotes
AReagan
Participant

disable 2fa for sso login

We also experience this due to having multiple outbound IP addresses from our network. Hubspot accounts that only allow SSO for authentication should be exempt from Hubspot's internal MFA. It provides a poor user experience and defeats all of the convenience of SSO.

PamCotton
Community Manager
Community Manager

disable 2fa for sso login

@AReagan,  want to update that the way the system is currently set up, your account is automatically set up to require verified login (2FA or CTL) for all users, regardless of whether they sign in via SSO or are exempted users. This is an added security measure HubSpot has been implementing over the past few months to ensure our customers' data is as protected as possible.

 

You can choose whether to require HubSpot 2FA or just have confirmed to login (emailed code), but there currently is not a way to exempt your Okta users from the verified login and require 2FA for SSO-exempt users.

 

I hope this helps.

 

Pam

 

 

Você sabia que a Comunidade está disponível em outros idiomas?
Participe de conversas regionais, alterando suas configurações de idioma !


Did you know that the Community is available in other languages?
Join regional conversations by changing your language settings !




umair
Contributor

disable 2fa for sso login

Hi Pam,

 

Thank you for the information. 

Does that mean our users will not get 2FA notification if they are logging in using SSO?

 

We have a few users that can't be added to SSO but all the others will use SSO. In this case we want SSO users to not get 2FA prompt as we already have 2FA for our login. But the users signing in using HubSpot should be prompted with 2FA.

 

Best,

Umair

0 Upvotes
PamCotton
Community Manager
Community Manager

disable 2fa for sso login

Hello @umair

After checking in with our internal team, I would like to apologize for any confusion that occurred. A new security feature was released on November 3 to ensure our users’ accounts are as secure as possible relying on our own platform’s security tools helps, since third-party providers (like Ping) can be vulnerable. This security feature added an additional layer of either 2FA or confirm to log in for users even if they were logging in via SSO. Based on feedback from the initial release, we've temporarily paused the rollout of this feature, but we plan to enforce it in the near future. It is not currently enforced on your account, so you can turn 2FA off at this point.

 

If you would like to get ahead of this rollout, you can encourage your team to make sure their 2FA is up-to-date with the correct phone number and/or authentication device. Once the feature is re-released, you will be able to control whether or not your users have to use 2FA (from your security settings). If you decide to leave it unchecked, your users will still be prompted with an email code for each new device that they log in from.

 

I hope this helps,

Pam

 

Você sabia que a Comunidade está disponível em outros idiomas?
Participe de conversas regionais, alterando suas configurações de idioma !


Did you know that the Community is available in other languages?
Join regional conversations by changing your language settings !




ABucksteeg
Member

disable 2fa for sso login

Hi, I was configuring SSO with Google and my expectation would be, that users logging in via SSO (Google) are NOT required to use a 2FA as this is already managed in Google in our case using SecurityKeys.

 

Requiring the user to enter yet another, Hubspot 2FA defeats the purpose of achieving a secure yet convinient setup for our employees. 

 


This security feature added an additional layer of either 2FA or confirm to log in for users even if they were logging in via SSO.

Our requirement basically conflicts with this statement. Can you please let me know, if your position has changed on the topic? 

 

Best, 

 

Andreas

 

0 Upvotes