Allow more 2FA Options
planned
N
Nigel Moore [Tech Tribe]
Whilst the recent enforcement of 2FA (via email) is a welcome addition to the security of High-Level, email based 2FA is unfortunately one of the least secure 2FA methods.
So, please add more 2FA options.
Including at a minimum TOTP codes (a global standard) that people can use through whatever TOTP App they use.
(E.g. Authy, Duo, Google Authenticator, Microsoft Authenticator etc).
And at the same time, please:
- Allow an agency to select what 2FA options they will allow to be used across their clients.
- Allow Admins of a sub-account to also have this level of functionality to select what 2FA options users in their Sub-Account can use IF the Agency gives it to them.
Log In
M
Mark Penney
To anyone reading this. You can setup 2FA app (e.g. Authy, MS Authenticator, etc) from the My Proflie setting page.
N
Nicolas Castro
This is so so important in the world we live in today. TOTP is the baseline but newer 2FA implementations should also be added.
J
Jordan Smith
DATA EXPORTS SHOULD HAVE 2FA TO ENSURE THE SUB ACCOUNT OWNER MAINTAINS CONTROL WHEN DATA IS PULLED OUT OF THE SYSTEM.
Also Agency-Admin should get notification when a data export happens.
Y
Yener Adal
This was marked as Planned in Sep 2023. It's now 2025. Surely this should be a higher priority than other feature requests?
A
Andron Ocean
Have to say I was very disappointed to discover that HighLevel does not offer any 2FA options beyond email and SMS. This needs to be prioritized. It's 2025.
In the United States, the FBI and CISA now officially advise individuals and businesses not to use SMS for authentication because it is highly insecure and often targeted for attacks by criminals and foreign espionage. The NIST has discouraged using SMS as a second factor since 2016.
Email should never be considered a legitimate second factor, because password reset also happens over email. If a HighLevel user's email account is compromised, it's game over.
HighLevel deals with a lot of financial and personal data for its own direct customers, agencies' clients, and end-user contacts and customers. And there's a HIPAA-compliant mode, too, in which health data could be stored. All of this REALLY needs high-level protection (sorry, not sorry for the pun!)
Please offer standard one-time codes passkeys as an upgraded 2FA mode, and ideally add passkeys/security keys as an alternative.
O
Olivier Barbier
Security should be a major topic for High Level in today's world to protect customers data.
Please complete 2FA with authentication apps but also security keys, and the capability for a subaccount admin to choose his method .
J
Jigar Shah
Yes, Google Authenticator or a similar option would be a good choice for login. However, it should remain optional. If the client prefers, they can receive an OTP via email, or alternatively, they can register for Google Authenticator to generate OTPs.
T
Terrance Wyatt
Yes, it seems insane this isn't HighLevel's number 1 priority given the amount of information stored in various accounts. Seems like the threat of multiple lawsuits.
G
G J
Sales & Marketing: Add 2FA using:
-> OTP apps (Google / MS Authenticator etc)
-> Security keys
- Hardware-based
- LC mobile app-based
- Phone-based (iCloud / Google account)
- Trusted device-based (such as a Mac / PC - Google, Stripe, etc all do this)
Remove Email & Text OTP
D
Damien Harrison
Rather than simple MFA an option should exist to use SSO providers such as Microsoft or Google allowing use of conditional access policies etc.
Load More
→