Applies to
Capabilities
Who can use this capability
- System Admin
Email-based TOTP overview
The email-based time-based one-time passcode (TOTP) login method generates a one-time temporary code and sends it to the user’s email for each login attempt. The user must enter the code received to log in to Smartsheet successfully.
Unlike the traditional password login method, the email-based TOTP significantly minimizes the possibility of phishing attacks, password theft, or intruder threats. This is because email-based TOTP requires users to access their email to obtain their temporary code, therefore adding an extra layer of security that’s more challenging for attackers to compromise.
Who can use this?
Plans:
- Smartsheet
Permissions:
- System Admin
Find out if this capability is included in Smartsheet Regions or Smartsheet Gov.
We plan to remove the ability for users to log in to Smartsheet through the password-based login method later this year. Smartsheet will communicate the cutoff date well in advance once the timing for this has been finalized. Until then, the existing password-based login fallback mechanism remains the same.
Things you should know
- Email-based TOTP doesn't support the User Auto-Provisioning feature.
- To sign in using TOTP, users must have previously set a password for their Smartsheet account and accepted the User Agreement policy. New users will only receive their TOTP after completing these steps.
- By default, TOTPs are only valid for 10 minutes. System Admins can’t edit this setting.
- If a user incorrectly enters the code three consecutive times, they must wait 10 minutes to request a new TOTP.
- If you've configured email filters that block Smartsheet emails coming from system@system.smartsheet.com, users won’t be able to receive their TOTP through email.
If users end up receiving multiple TOTPs because of delays in email delivery, note that those codes don’t expire as soon as a new one is requested, following the 10-minute expiry. However, always using the latest one they’ve received is recommended.
The email-based TOTP doesn’t change any existing single sign-on (SSO) methods, such as Google, Microsoft, or Apple; instead, it serves as an additional login option.
Manage email-based TOTP login across your domains
By default, non-Enterprise plans get email-based TOTP enabled and can’t choose to deactivate any supported login method. However, Enterprise plans have the flexibility to choose. We currently support this at two levels: plan-level and domain-level.
Email-based TOTP is currently not supported on the mobile app.
Here's what you need to know as System Admin of an Enterprise plan:
- At the plan level, the activation and deactivation of password-based and email-based TOTP login methods are interconnected. It’s impossible to activate email-based TOTP while disabling the password-based login method. If you simply wish to enable TOTP for your domain, you must follow the steps on activating email-based TOTP login at the domain level.
- Email-based TOTP will be automatically enabled for Enterprise plans where the traditional password login method is currently active at the plan level.
- In Enterprise plans where the password login method has been previously deactivated, email-based TOTP will also be disabled by default. However, System Admins of those plans can choose to activate both login methods simultaneously at the plan level if needed.
To activate email-based TOTP login at the domain level
- In Admin Center, select .
- Navigate to Settings > Authentication.
Scroll down to the One-time password via email tile and use the Select domain drop-down menu to add email-based TOTP to any listed domains. Note that validated and activated domains will automatically populate.
Brandfolder Image
To deactivate email-based TOTP login
- In Admin Center, select .
- Navigate to Settings > Authentication.
- Scroll down to the One-time password via email tile and use the Select domain drop-down menu to remove email-based TOTP for any listed domains.
Select Disable.
Brandfolder Image
Manage email-based TOTP login across your plan
At the plan level, the email-based TOTP and password-based login methods can only be enabled or disabled together, not separately.
To activate or deactivate email-based TOTP login at the plan level
- In the Smartsheet app, select Account at the screen's bottom left corner.
- Navigate to Plan & Billing Info… > Security Controls.
- Select Edit next to Authentication.
Use the Email + Password/One-time Password via Email checkbox to activate or deactivate the authentication method.
Brandfolder Image