HubSpot has an "Enforce Two-Factor Authentication (2FA) for All Users" security option but (and I have followed this up with Hubspot Support who have agreed with my observation) it is ineffective since:
a) Users can bypass this control simply by selecting "Remember me" at login time.
b) Users can authenticate using only their password on mobile devices, once again bypassing the 2FA requirement.
This lax approach to security policy enforcement may put Hubspot customers (err... me!) at risk of legal action. Consider the scenario where my organisation attempts to appropriately protect the PII of its clients (those whose data we have stored in Hubspot) by enforcing 2FA, as per to legislative requirements such as the APPs (Australia) and the GDPR (Europe). Aside: Such 2FA requirements for the protection of PII are also generally found in cyber-insurance policies.
Now consider the case that an employee disregards the director's instruction not to use the "Remember me" security bypass hack and/or uses their password to authenticate to the mobile app, and that later, the employee falls foul of a phishing or password spray attack.
That user's Hubspot account can now be compromised by the attacker, and the HubSpot customer (the user's employer) may be exposed to legal action because they will be unable to show that they protected the exposed PII according to legislation and insurance requirements. Instead, the plaintiff lawyers will show, correctly, that in fact the customer (employer) allowed access to PII via nothing except a stored cookie.
It's nearly March of 2024 and breaches of PII are a weekly (if not more frequent) occurrence. I can see no possible way that, if the PII that is in our care is breached, that I will be able to defend myself against an accusation of negligence, if the only defence I have is that I told non-technical sales staff to delete a certain cookie every eight hours.
My insurance, the APPs and our PCI DSS compliance requirements demand that I actually implement effective 2FA and logging (and I'll raise another issue about security logs later!) and I am very concerned that allowing users to bypass the 2FA security setting will land me deep in lawyer **bleep** if a user account is breached and the PII in our care ends up on the dark web.
I strongly recommend Hubspot configure the security settings so that the settings do what they say on the tin: Specifically, disallow security bypass hacks and password-only authentication on both web and mobile apps, and enforce 2FA on every login.
Cheers!
Tim.
PS: Considering the fact that it's a big deal nowdays, Hubspot might also want to have a category below for "Security". For now I'll log this under Hubspot Support.
I have the same issue and concern about it. The possibility of users removing their 2FA setup or skipping the prompt that was supposed to enforce 2FA setup is a huge lack of security. If there is an option that is supposed to Require 2FA to log in, it should only allow users to log in after setting it up and not allow them to skip or remove it.
Also, it doesn't matter if the user is logging on with a third-party provider such as Google or any SSO. If the option "Require 2FA" is flagged, the user should have to have the 2FA set ALWAYS.
Please HubSpot, fix this asap. It's about security.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.