Asana Security Two Factor Authentication

@Marie with respect, Iā€™m sure @Mike_Solomon is aware of the limited options available in Asana (google and SAML). It is absolutely ridiculous that Asana still doesnā€™t offer 2FA. Itā€™s a fundamental feature of any modern platform and a security catch all for those that donā€™t use or have an identity provider. For such a great platform, this is a completely bizarre omission.

1 Like

Just getting to grips with Asana, my first thought was, right, I need to know my data is safe here so where is the 2FA? Canā€™t believe itā€™s not an option, makes me very wary to put so much data here.

2 Likes

Thank you for this thread. I am looking for a ā€œto do programā€ with an eye towards some project management features for personal use. Number 1 on the list of features is 2FA. This thread has saved me the time and effort of looking at Asana, which is a pity since it has been reviewed so favorably. Just like you would not have a user account without a password, any cloud service MUST implement secure 2FA with something like Google/Microsoft Authenticator.

A customer uses Asana and recommended it. Came to find out more about it but could not determine how to set up two factor, and then I found this thread. I found it quite surprising that here we are in 2020, where even my local county government has two factor to pay my water bill, that an entity selling a web-based service / SaaS app, vying for enterprise business, considers their customersā€™ security an up-charge item. Itā€™s fairly mind boggling.

3 Likes

I LOVE ASANA, and I use it all the time, every day. BUT I have been very frustrated that ASANA does not secure its login authentication with 2FA/MFA like Google Authenticator, DUO or even SMS (which is better than nothing). I wish everyone would please support this as an immediate feature request. I pay a lot of money and I cant believe you cant secure my identity with 2FA/MA. I have politely submitted 2 support/feature requests in the past half year. and Nothing seems to be done about it.

1 Like

I would support an optional Account 2-Factor Authentication as projects can hold commercially sensitive information.

Hi @Dimitrios_Hilton, welcome to the forum and thanks for taking the time to share your feedback with us!

We have an existing thread related to this topic. Iā€™ve gone ahead and merged your thread with Asana Security Two Factor Authentication to centralize votes!

+1. Asana team should add 2FA asap. Itā€™s 2020 and all major platform have 2FA authentication.

A company not placing importance security for all of its users, or worse, only prioritizing paying users does carry a bad smell. The only worse thing would be asking users to pay for a secured https connection to the platform. Weā€™ve been using the free version for years, then upgraded to premium a year or two ago. Weā€™ve been very happy with it despite the lack of MFA. However our parent company is beginning to review use of external SaaS apps and requiring MFA on all. So, weā€™ve got a ticking time clock on our end before this might be turned off not of our own choosing. Come on, this seems silly guys @Asana. ā€¦ And no, we donā€™t use GSuite, we use O365 like many other lovely corporations. Requiring an upgrade to the invisible sticker price of ā€œEnterpriseā€ to use SAML with Azure AD also smells poorly guys. Come on, this seems silly guys @Asana.

2 Likes

Giving it a push again and trying it from a different angle even though 2FA should really be standard, standard.

Team Asana, please think about some bad publicity when a major Asana customer has a data breach due to missing 2FA. This will not be good for the planned IPO.

I guess Asana would like to be the next Sendgridā€¦ https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/

Absolutely agree here. I cannot believe this forum has been going on since 2017 and Asana has yet to add it universally for all levels. Forcing an increase to $49.99 per person which is more than double to price of what people are paying to allow for this is an absolutely unacceptable response. In this day and age of cyber attacks and hackers, not having 2 factor is a dangerous proposition. I strongly recommend you allow Office 365 syncing like you do Google, so then you dont have to worry about it and you allow it at all levels of Asana. If a clientā€™s information is hacked on your site, it will be too late.

2 Likes

I do not understand how an application like Asana do not have this on as something you can add for any paying subscriber level. It is not something you think you would have to ask for 2020 and it should not come with an additional cost, it is not that complicated to build or support.

1 Like

I donā€™t understand why is 2FA so difficult to implement. Need this asap or else will start looking for another appā€¦ ton of other PM apps out there

PLease ASANAā€¦ you MUST implement the 2FA function as soon as possible. Itā€™s a mandatory stuff in 2020, you canā€™t leave this thread without clear answer otherwise, at the end, people will think you are hiding somethingā€¦ Enable 2FA with TOTP and U2F device like YUBIKEY, i repeat, this is mandatory in 2020 and much more in 2021, cyber threats are growing more and more.

2 Likes

Not having 2FA is absurd, please implement this, itā€™s supposed to be really simple.

Asana Team - As of this week, ALL companies doing business with the US Department of Defense are required to comply with NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1. This means that in the absence of an acceptable multi-factor authentication solution, thousands of companies like ours must cancel our Asana subscriptions and move to something else. We are about to move to JIRA for this reason. We really wish you had listened to the feedback here, as we liked Asana.

1 Like

Itā€™s absolutely ridiculous that MFA is not supported in any shape or form with the basic product. The security landscape today requires it. Not having it is deliberately negligent at this point.

1 Like

If only they knew how many enterprise customers were turned away by this. Even with Google SSO/SAML, it isnā€™t all that secure as Google accounts are fairly susceptible. 2FA forces human intervention every sign-on, while the former are automated and if compromised, complete useless.

Are there any plans to implement 2FA - if not we will need to cancel immediately.