Two-factor authentication for HubSpot portal

I was surprised this wasn't already a feature of HubSpot, especially where our databases are filled with our lead's information. I would like HubSpot to add 2FA to their system. Something we can integrate with Google Authenticator would be ideal. It adds an extra layer of security that we would appreciate. 

60 Comentarios
Colaborador ocasional

@dilloncompton thanks!

 

Super happy this rolled out. I am implementing hubspot across the organization (not just sales) and the roll out of this feature will make it easier to get buy-in. 

 

Nuevo colaborador

Great news this has been rolled out.

 

Is it possible to mandate across the account so all users need to specify a second factor device?

Nuevo colaborador

Absolutely delighted to see this finally rolled out. I'll submit feedback as I test!

Equipo de producto de HubSpot
Equipo de producto de HubSpot

@tonyhunter it is not currently possible to require your users to use two factor authentication. We have heard this feedback during the beta, and will likely support it in the future.

Nuevo colaborador

@dilloncompton great, thanks for confirming quickly.

Colaborador ocasional

We’d really like a SAML identity source so we can manage users centrally and make 2FA mandatory, plus use the more sophisticated features our SSO product gives us. Will this be happening do you think?

Equipo de producto de HubSpot
Equipo de producto de HubSpot

@moodoir There is a separate thread for SAML authentication on the ideas forum already (https://community.hubspot.com/t5/HubSpot-Ideas/SAML-authentication/idi-p/20389), and we look at it as a pretty distinct feature from 2FA. We have heard the feedback for SSO, but don't have specific plans/timelines we can share. 

Colaborador ocasional

Hi there' OK thanbks for the feedback. 

Equipo de producto de HubSpot
Equipo de producto de HubSpot

@moodoir no problem! We do hope to provide SSO functionality in the future, just no concrete timelines yet!

Colaborador ocasional

Hi Dillon, is this out of beta testing now? Thanks.

Equipo de producto de HubSpot
Equipo de producto de HubSpot

@moodoir yes, it's been released to all HubSpot users at this point. Even though it's no longer in beta, we practice iterative development so feedback is always helpful, and we're likely to make changes/improvements in the future. Feel free to shoot me a message or post here if you have any feedback!

Colaborador ocasional

@dilloncompton when will we be able to enforce two factor on all new users? 

Equipo de producto de HubSpot
Equipo de producto de HubSpot

Hi @Maurits,

 

Please see: https://community.hubspot.com/t5/HubSpot-Ideas/Two-factor-authentication-for-HubSpot-portal/idc-p/18...

We have heard the feedback but there is not yet a timeline for this change.

Nuevo colaborador

While I realise I can't enforce 2FA on all users at the moment is it possible to check which users have enabled 2FA?

Nuevo colaborador

to second what neilw is saying - it would really nice to see who has it enabled.

 

It would also be nice for Super Admins to:

  • Be able to force a user to re-enroll (say if they lose their phone and don't have backup codes)
  • Disallow SMS and mandate an authenticator app as a method as the SMS method has been proven to have some vulnerablities. 

Lastly the use of Language which specifies Google Authenticator is confusing to less technical users. Other Authenticator Apps work (Microsoft, Salesforce, Duo). Referring to it as Authenticator App would be less confusing.

 

Colaborador ocasional

Agree with TB1.

I forgot my phone the other day and it was a 48 hour turnaround time by HubSpot. I had to ask an external admin to register me on my personal email address to get back in. All a bit painful really. There has to be a better back up plan.

 

Colaborador ocasional

Although having 2FA now available via SMS, our company uses Duo Access Gateway and unfortunately I've just heard this isn't on HubSpot's roadmap. Surely this isn't a big development?

Nuevo colaborador

Ref 2FA

Just to let the forum know we have got fed up waiting for Hubspot to deal with this and have cancelled and are implementing Salesforce who have proper 2FA which we will be operating through OKTA.

I suggest that all of you concerned about security and user managment urgently consider moving away from Hubspot. The cost of not doing so could far outweigh the cost of moving.

Empleado de HubSpot
Empleado de HubSpot

Hey all! I wanted to update on this thread to solicit some feedback around a new 2FA development we're currently rolling out. It will allow admins on an account to assist their users with getting their 2FA removed, & not require contacting the HubSpot support team. Currently, this functionality is available only for users who are on one HubSpot account. If you'd like to try this new functionality, please shoot me a direct message including your hub ID, & I can get you set up.

Nuevo colaborador

Why does Hubspot not have this sorted, user provisioning also needs to be addressed