HubSpot Ideas

JacquelineOng

Force log out users without 2FA enabled

Posting on behalf of a customer:


Goal:

  • Have all users in the portal enable 2FA 

Situation:

  • Super Admin has enabled portal-wide 2FA, which will send out an email and in-app notification to the user to prompt them to set up 2FA. Users have a 24h grace to do so. After 24h if they have not yet set it up, users will be asked to set up 2FA when they try to log in to HubSpot.

Roadblock

  • 75% of active users do comply and set up 2FA. However, some users who are already logged into HubSpot (meaning that their last login was prior to the 2FA setting being turned on) and who are active in the account (looking at the "Last Active column" in user settings), can still use HubSpot without having 2FA set up.
  • This could be because they had previously selected the "Remember Me" checkbox when signing in and did not clear their browser cache or cookies, which remembers their login preferences for up to 30 days, and thus they are able to remain logged in without setting up 2FA.
  • Essentially, out of security concerns, the customer wanted to kick users out of HubSpot and have them re-login again if they did not set up 2FA within 24h of them turning it on.

To quote user:

  • "If we allow 30 days for users to voluntarily do the set up there may be a breach of security in the grace period. In addition, I understand from your point of view that Hubspot should not have much impact on customers' operations.
  • However, from the administrator point of view, we would like to make our action come into effect as soon as possible. The administrator authority on the Hubspot platform should not be controlled outside the platform (i.e using email via MS Outlook)"
  • To summarize our idea again: (1) force log out after 24 hours since the toggle is on (2) if you cannot clear the login cookies, then there should be a session timeout. In this case, the parameter is set as 30 days and we suggest to reduce to 3 days or 7 days.
    • Regarding (1) I would like to make a request to have a button of "force log out" under the "2FA require" toggle for the Super Admin to do that. Now the option is available and the decision-maker will be the Super Admin. HubSpot allows the customer to do but will not be blamed for the customer's decision.
3 Replies
Long_Nguyen
Contributor

Hope to have more discussion on our idea.

KhoaCaoQuang
Member

Looking forward Hubspot team engage as soon as possible for this essential security features !!!

KhoaCaoQuang
Member

Dear team,

 

I tried to login after being deactivated. And it seems I succeeded as screenshot. We are really confusing

 

KhoaCaoQuang_0-1642055618194.png