HubSpot Ideas

JacquelineOng

Force log out users without 2FA enabled

Posting on behalf of a customer:


Goal:

  • Have all users in the portal enable 2FA 

Situation:

  • Super Admin has enabled portal-wide 2FA, which will send out an email and in-app notification to the user to prompt them to set up 2FA. Users have a 24h grace to do so. After 24h if they have not yet set it up, users will be asked to set up 2FA when they try to log in to HubSpot.

Roadblock

  • 75% of active users do comply and set up 2FA. However, some users who are already logged into HubSpot (meaning that their last login was prior to the 2FA setting being turned on) and who are active in the account (looking at the "Last Active column" in user settings), can still use HubSpot without having 2FA set up.
  • This could be because they had previously selected the "Remember Me" checkbox when signing in and did not clear their browser cache or cookies, which remembers their login preferences for up to 30 days, and thus they are able to remain logged in without setting up 2FA.
  • Essentially, out of security concerns, the customer wanted to kick users out of HubSpot and have them re-login again if they did not set up 2FA within 24h of them turning it on.

To quote user:

  • "If we allow 30 days for users to voluntarily do the set up there may be a breach of security in the grace period. In addition, I understand from your point of view that Hubspot should not have much impact on customers' operations.
  • However, from the administrator point of view, we would like to make our action come into effect as soon as possible. The administrator authority on the Hubspot platform should not be controlled outside the platform (i.e using email via MS Outlook)"
  • To summarize our idea again: (1) force log out after 24 hours since the toggle is on (2) if you cannot clear the login cookies, then there should be a session timeout. In this case, the parameter is set as 30 days and we suggest to reduce to 3 days or 7 days.
    • Regarding (1) I would like to make a request to have a button of "force log out" under the "2FA require" toggle for the Super Admin to do that. Now the option is available and the decision-maker will be the Super Admin. HubSpot allows the customer to do but will not be blamed for the customer's decision.
7 Replies
Long_Nguyen
Contributor

Hope to have more discussion on our idea.

KhoaCaoQuang
Member

Looking forward Hubspot team engage as soon as possible for this essential security features !!!

KhoaCaoQuang
Member

Dear team,

 

I tried to login after being deactivated. And it seems I succeeded as screenshot. We are really confusing

 

KhoaCaoQuang_0-1642055618194.png

 

JacquelineOng
HubSpot Employee

Update - checked on this "remember me" function and our engineering team mentioned the cookie is stored for 180 days (6 months)

It's important to note that this "remember me" or remember device feature is not exclusive to HubSpot and is commonly seen across other platforms. Also, in general, this feature remembers the cookie and/or IP address of that login session. That said, this could certainly be useful to ensure security of users especially for large Enterprise accounts.

 On that note, i
f you have questions about logging in/2FA or need assistance, that are not directly related to this feature request, the best channel to get help is by filing a new Support ticket with our team so we can take a look at your specific set up & see how to better advise. Thank you! 

SMussler
Participant

@JacquelineOng that is a really weak way to handle security in my opinion.

A session cookie longer than 24h opens a very wide door for a session take-over. And just because "others are also not good in security" I strongly suggest that HubSpot finally steps up and secures the important data of there customers - it is our customer data you are handling! If you are haked, we might be out of business because of it.

I would really push the HubSpot team to enable a forced log out at least very 24h and in addition give the super admin the option to do so as well.

The security set-up as it is, is really weak!

SWJSmith
Member

Upvoting this we have seen challenges with 2FA and not being able to force expire sessions and finding out 6 months is your life is a big risk especially with the session take over risks they need to be much shorter times and we need to be able to hit reset on a user or the entire account if we have a risk.

YMontgomery84
Participant

Also facing the same issue as a systems admin. Unable to enforce 2FA