Mandatory Two-Factor Authentication
- Skip Ahead to
- What is mandatory two-factor authentication?
- Who it is for
- What is an authentication code
- How it works for an Admin
- How it works for an existing user
- How it works for a new user
What is mandatory two-factor authentication?
We are making it easier for admins to be able to mandate that all members and guests in their domains should setup two-factor authentication (2FA). Enabling two-factor authentication means that Asana will ask for an additional code, in addition to email and password, when authenticating. We anticipate this to be particularly useful for guests who can’t be on SAML/SSO as they don’t usually have an email address that belongs to the admin’s organization. Admins will need to make 2FA required by turning on this preference inside Security settings.
Who it is for
This feature is an Enterprise-only feature for security-conscious admins that want to add an additional layer of security for their users/domain. Enabling 2FA as required will enforce two-factor authentication for both full members as well as guests to be able to login to domains that may not be SSO/SAML required. For SSO/SAML required domains, this feature enforces two-factor authentication only for guests logging in.
What is an authentication code
Asana's two-factor authentication relies on time-based one-time passwords (TOTP). These one-time numeric passwords are supported by authenticator apps such as Authy, Duo, Microsoft Authenticator and Google Authenticator using the TOTP standard. You can find more information about TOTP authentication codes at this link. 2FA will be enforced on users logging in on the web as well as through the mobile app.
How it works for an admin
Turning on 2FA as required for your organization
As an admin, you can turn on two factor authentication from the Security tab in the admin console. You will also need to turn on 2FA for your own account before you can require it for your organization.
As a divisional admin, you will need to contact Asana support to enable 2FA as required for your organization. Please note if you do this 2FA will also apply to users outside your division.
Once 2FA is turned on, users (full members and guests) in your organization will receive an email asking them to enable 2FA for their account.
Asana will also display a banner informing users that they must set up 2FA for their account.
From this email, users can go to their My Settings to set up and enable 2FA. Users may be asked to set up 2FA when they login to Asana. New users joining Asana and an organization that requires 2FA will be asked to set up 2FA during the account creation flow.
Users will need to set up 2FA by using a third party authentication app such as Duo, Authy, or Microsoft Authenticator.
If your organization is set up to require SSO or SAML then full members in your organization won’t be required to set up 2FA as they are already using a secure method to login to Asana. We will still enforce 2FA for any guests logging into Asana.
Any users (members or guests) in your organization who don’t set up 2FA within 7 days after an organization is set up to require 2FA will be logged out and will need to set up 2FA before they can login to Asana. Additionally, if users do not set up 2FA within 14 days, their passwords will be invalidated and they will need to reset their password via the Forgot Password flow to log in again.
How it works for an existing user
If two-factor authentication is mandatory in an organization that a user belongs to, then the user will need to set up two-factor authentication the next time they login to Asana if they have an existing account in Asana. The instructions below show how this can be done.
- As an existing user in Asana, you’ll be required to set up 2FA after an administrator of an organization you belong to makes two-factor authentication mandatory. The next time you login to Asana, you’ll be asked to set up two-factor authentication.
- Search for an authentication app such as Duo, Authy or Microsoft Authenticator by going to theGoogle Play Store on Android, or App Store if you're using an iPhone. Install and set up the app as directed by the app.
You will then be asked to scan the barcode shown and add it to your authenticator app. After scanning the barcode from the Asana page, click Continue.
On the next screen enter the 6 digit code shown to you inside the authenticator app for this newly added Asana account. Once you enter the 6-digit code, click Continue
The next screen will confirm that two-factor authentication has been set up for your account. Asana will ask you for your email and password, as well as the authentication code from your app every time you login.
How it works for a new user
If two-factor authentication is mandatory in an organization that a user has been invited to, then the user who is new to Asana will need to set up two-factor authentication for their Asana account during the account creation process. The instructions below show how this can be done.
- Go to your email and open the Invite mail from Asana
- After clicking on Accept Invite, you will arrive on a landing page in Asana.com where you can continue signing up
- Continue your set up by entering your username and password on the next screen
- The next step in your set up is to follow intructions to set up two-factor authentication for your account a) Search for an authentication app such a Duo, Authy or Google Authenticator by going to the Google Play Store on Android, or App Store if you're using an iPhone. Install and set up the app as directed. b) Once installed, scan and add the QR code provided on the Asana screen or manually enter the secret key displayed on the authenticator app. c) your app will display a 6 digit code for the added account that is valid for a few seconds only. Enter this 6 digit code on the Asana page and click Enable.
You will see this screen to confirm that the two-factor authentication has been set up. Click Continue to then carry on setting up the Asana account
Can I turn on 2FA for my division?
Yes, 2FA required is available for Enterprise divisions. Division admins can request 2FA to be enabled by contacting Asana support. In this case, 2FA will be enabled for the entire domain (not just the division).
How will my users know that they need to turn on 2FA? How soon do they need to set up 2FA?
Users will receive an email asking them to set up 2FA after you turn on 2FA. All users within the domain will be logged out after 7 days if they do not set up 2FA.
What kind of 2FA will my users be asked to set up?
The second factor for authentication will come from 3rd party authenticator apps such as Duo, Authy, or Microsoft Authenticator that can be installed on the phone.
How can I see which users still need to turn on 2FA?
Admins can contact Asana’s support team to get a list of users who still need to turn on 2FA in their domain.
Will members in my org who login via SSO/SAML need to set up 2FA as well?
No, users (and guests) in a domain who only use SSO/SAML to log in will not need to set up 2FA.
How can users change their 2FA device?
Users can change their 2FA device via their Profile Settings.
On what platforms will 2FA be enforced?
Users will need to provide 2FA when logging in on web, desktop, and the Asana mobile app.