Ability to Reset/Disable/Force 2FA for non-Enterprise Admins

I’m here because this has had a direct adverse impact on our use of Asana here lately. I see where the ability to reset user passwords and 2FA settings is an Enterprise Level/cost additional feature. I can’t imagine I will be alone in thinking that’s a real problem. I do completely understand why Asana might adopt a tiered pricing model for special advanced features; and believe me when I tell you - if our small business could shoulder that cost, we would scoop up those sweet Enterprise features in a heartbeat.

But this seems like a very basic administrative task and we’ve recently lost some serious time to it’s absence. Managing team and application security shouldn’t be a cost-additional “extra”.

Last week when this happened, where a user validated by me was locked out for a problem with her 2FA setup, we waited 12 hours or more for a response. That’s a very bad look on you, Asana. Clearly your support team is very busy and from my own time supporting users, I know this is the kind of thing that needlessly consumes their time. This seems like low hanging fruit in an effort to recapture that time AND serve your customers better.

I want to take a minute to say that this is all true for us because we value Asana so much in our day-to-day work. So, really, thanks for an otherwise great product. It’s precisely because it is so great that this issue frustrates me so much.

1 Like

Hi @Clark_Morgan1, thanks for taking the time to provide this feedback, as well as the context around why this feature would benefit your company!

Although, our Product team don’t plan to offer 2FA and password reset to Basic, Premium or Business tiers at this time, we do hear and appreciate your feedback. For context, these features are available to Enterprise users as this subscription tier is catered to larger organizations that need additional security and control.

I’ll keep you posted and let you know if we have any updates on this in the future :slight_smile:

I completely agree with you, @Clark_Morgan1 . I’m running into this exact issue for an employee that got a new phone, and the authenticator app didn’t carry the 2FA records over.

@Rebecca_McGrath is the solution for these scenarios for non-Enterprise tiers to contact Support to have 2FA reset?

1 Like

Hi @anon70644524, yes - you can contact our Support team if you’re having trouble with 2FA :slight_smile:

Hi @Rebecca_McGrath,

I agree with the previous messages : your implementation of the MFA is unusable. Without any mean to reset the MFA for a user (security key, recovery codes etc…), except having an Enterprise plan, it isn’t wise for a user to activate it. Having to contact the support in case of problem is extremely inefficient, for the user and for the Asana support but I’m sure you already know that.

This Enterprise thing to be able to reset the MFA is also quite weird : make the security of your application depend on money is entirely wrong nowadays. That force users to decrease their level of security to avoid a lockout and everybody’s losing here, included Asana. Btw, Asana is already a member of the SSO Wall of Shame, there is probably something to work on here.

3 Likes

With the recent changes to the plans/editions I felt compelled to bring this question to the Asana product management team.

We use Asana for our business and I’m a champion of it for our clients. We are a cybersecurity consulting firm. We tell every single client that every cloud app should offer and require 2fa/mfa because it is the defacto standard to prevent security breaches.

From our perspective, a basic foundational function should not be used to urge customers to move to a higher-priced tier. It’s in Asana’s best interest and ALL your customers critical requirements to prevent data loss and improve privacy.

I think all of us in the cybersecurity biz would appreciate if you could reconsider your position and allow all tier admins to turn on “Force 2FA.”

Best,
Jerry

5 Likes

I second this!! We are newer to Asana (Business plan) and are trying to both implement Asana and enforce safer security measures overall for our Support team. Not having MFA available on a platform where we are trying to encourage staff adoption for projects that could contain confidential information feels like an unnecessary risk…

2 Likes

@Jerry_Sanchez,

I agree, and I moved your request to Product Feedback so we can vote (I just did) at the top of the thread using the purple Vote button. (I adjusted the title too; hope that’s ok.)

Thanks,

Larry

4 Likes

I completely agree. This needs to change. We asked Asana about this some time ago and were told that we can manually follow up with each of our team members to enable 2FA on their own if we did not want to be on the Enterprise plan.

We’re on the Business plan and we are happy to pay for the great features Asana is releasing. With that said, forced MFA should be built-in feature for all plans. Security needs to be an expectation and not a paywalled feature that results in limited adoption.

Companies are getting hacked every single day, and policies like this result in vulnerabilities by the vast majority of orgs using Asana.

I completely agree with this notion! There are so many other companies that are pushing 2FA on to alll their platforms users given the climate that we continue to be in. This would just make sense for Asana to do as well in order to protect their customers and our users better.

Sure! You can turn on 2FA manually, but in organizations that don’t have an IT Department or those that may not have the resources to dive into the cybersecurity topics, forcing this option would be highly beneficial.

I would also like to see a Single Sign On option available at least for those in the Business (now called Advanced) tier.

I’m really glad to see this topic heating up again after just over 2 years. If I had known what a burden this would become before we became so entrenched in Asana, we would have gone in another direction. The message being telegraphed by limiting access to core 2FA administration is that you’re not taking security seriously. Surely potential new customers should find that concerning. I hope this new attention will drive the point home.

Hello @Rebecca_McGrath,

I understand that security features such as the ability to pull Audit Logs via the API into a SIEM are generally needed only by Enterprise customers to perform additional analysis around the overall security posture. It makes sense this is only available to Enterprise plan customers.

But, If user account credentials are compromised (which is very common,) the ONLY way to mitigate a breach is 2FA/MFA. This is a critical vulnerability for EVERY Asana customer. Every major SaaS application allows admins to require MFA (many do this by default.)

By not allowing your paying customers to force 2FA, Asana is complicit in allowing bad actors to perform a data breach.

-Jerry

Let me add my voice as a Business-tier user to request that this feature be implemented across all tiers. For a Saas solution in 2024 to hide what should be considered a basic security feature behind tier-pricing is not a great look.