Two-factor authentication for HubSpot portal

I was surprised this wasn't already a feature of HubSpot, especially where our databases are filled with our lead's information. I would like HubSpot to add 2FA to their system. Something we can integrate with Google Authenticator would be ideal. It adds an extra layer of security that we would appreciate. 

59 Commentaires
Contributeur occasionnel

@dilloncompton thanks!

 

Super happy this rolled out. I am implementing hubspot across the organization (not just sales) and the roll out of this feature will make it easier to get buy-in. 

 

Nouveau contributeur

Great news this has been rolled out.

 

Is it possible to mandate across the account so all users need to specify a second factor device?

Nouveau contributeur

Absolutely delighted to see this finally rolled out. I'll submit feedback as I test!

Équipe de développement de HubSpot
Équipe de développement de HubSpot

@tonyhunter it is not currently possible to require your users to use two factor authentication. We have heard this feedback during the beta, and will likely support it in the future.

Nouveau contributeur

@dilloncompton great, thanks for confirming quickly.

Contributeur occasionnel

We’d really like a SAML identity source so we can manage users centrally and make 2FA mandatory, plus use the more sophisticated features our SSO product gives us. Will this be happening do you think?

Équipe de développement de HubSpot
Équipe de développement de HubSpot

@moodoir There is a separate thread for SAML authentication on the ideas forum already (https://community.hubspot.com/t5/HubSpot-Ideas/SAML-authentication/idi-p/20389), and we look at it as a pretty distinct feature from 2FA. We have heard the feedback for SSO, but don't have specific plans/timelines we can share. 

Contributeur occasionnel

Hi there' OK thanbks for the feedback. 

Équipe de développement de HubSpot
Équipe de développement de HubSpot

@moodoir no problem! We do hope to provide SSO functionality in the future, just no concrete timelines yet!

Contributeur occasionnel

Hi Dillon, is this out of beta testing now? Thanks.

Équipe de développement de HubSpot
Équipe de développement de HubSpot

@moodoir yes, it's been released to all HubSpot users at this point. Even though it's no longer in beta, we practice iterative development so feedback is always helpful, and we're likely to make changes/improvements in the future. Feel free to shoot me a message or post here if you have any feedback!

Contributeur occasionnel

@dilloncompton when will we be able to enforce two factor on all new users? 

Équipe de développement de HubSpot
Équipe de développement de HubSpot

Hi @Maurits,

 

Please see: https://community.hubspot.com/t5/HubSpot-Ideas/Two-factor-authentication-for-HubSpot-portal/idc-p/18...

We have heard the feedback but there is not yet a timeline for this change.

Nouveau contributeur

While I realise I can't enforce 2FA on all users at the moment is it possible to check which users have enabled 2FA?

Nouveau contributeur

to second what neilw is saying - it would really nice to see who has it enabled.

 

It would also be nice for Super Admins to:

  • Be able to force a user to re-enroll (say if they lose their phone and don't have backup codes)
  • Disallow SMS and mandate an authenticator app as a method as the SMS method has been proven to have some vulnerablities. 

Lastly the use of Language which specifies Google Authenticator is confusing to less technical users. Other Authenticator Apps work (Microsoft, Salesforce, Duo). Referring to it as Authenticator App would be less confusing.

 

Contributeur occasionnel

Agree with TB1.

I forgot my phone the other day and it was a 48 hour turnaround time by HubSpot. I had to ask an external admin to register me on my personal email address to get back in. All a bit painful really. There has to be a better back up plan.

 

Contributeur occasionnel

Although having 2FA now available via SMS, our company uses Duo Access Gateway and unfortunately I've just heard this isn't on HubSpot's roadmap. Surely this isn't a big development?

Nouveau contributeur

Ref 2FA

Just to let the forum know we have got fed up waiting for Hubspot to deal with this and have cancelled and are implementing Salesforce who have proper 2FA which we will be operating through OKTA.

I suggest that all of you concerned about security and user managment urgently consider moving away from Hubspot. The cost of not doing so could far outweigh the cost of moving.

Salarié HubSpot
Salarié HubSpot

Hey all! I wanted to update on this thread to solicit some feedback around a new 2FA development we're currently rolling out. It will allow admins on an account to assist their users with getting their 2FA removed, & not require contacting the HubSpot support team. Currently, this functionality is available only for users who are on one HubSpot account. If you'd like to try this new functionality, please shoot me a direct message including your hub ID, & I can get you set up.