Allow more 2FA Options
planned
N
Nigel Moore
Whilst the recent enforcement of 2FA (via email) is a welcome addition to the security of High-Level, email based 2FA is unfortunately one of the least secure 2FA methods.
So, please add more 2FA options.
Including at a minimum TOTP codes (a global standard) that people can use through whatever TOTP App they use.
(E.g. Authy, Duo, Google Authenticator, Microsoft Authenticator etc).
And at the same time, please:
- Allow an agency to select what 2FA options they will allow to be used across their clients.
- Allow Admins of a sub-account to also have this level of functionality to select what 2FA options users in their Sub-Account can use IF the Agency gives it to them.
Log In
Activity Feed
Sort by
Y
Yener Adal
This was marked as Planned in Sep 2023. It's now 2025. Surely this should be a higher priority than other feature requests?
A
Andron Ocean
Have to say I was very disappointed to discover that HighLevel does not offer any 2FA options beyond email and SMS. This needs to be prioritized. It's 2025.
In the United States, the FBI and CISA now officially advise individuals and businesses not to use SMS for authentication because it is highly insecure and often targeted for attacks by criminals and foreign espionage. The NIST has discouraged using SMS as a second factor since 2016.
Email should never be considered a legitimate second factor, because password reset also happens over email. If a HighLevel user's email account is compromised, it's game over.
HighLevel deals with a lot of financial and personal data for its own direct customers, agencies' clients, and end-user contacts and customers. And there's a HIPAA-compliant mode, too, in which health data could be stored. All of this REALLY needs high-level protection (sorry, not sorry for the pun!)
Please offer standard one-time codes passkeys as an upgraded 2FA mode, and ideally add passkeys/security keys as an alternative.
O
Olivier Barbier
Security should be a major topic for High Level in today's world to protect customers data.
Please complete 2FA with authentication apps but also security keys, and the capability for a subaccount admin to choose his method .
J
Jigar Shah
Yes, Google Authenticator or a similar option would be a good choice for login. However, it should remain optional. If the client prefers, they can receive an OTP via email, or alternatively, they can register for Google Authenticator to generate OTPs.
T
Terrance Wyatt
Yes, it seems insane this isn't HighLevel's number 1 priority given the amount of information stored in various accounts. Seems like the threat of multiple lawsuits.
G
G J
Sales & Marketing: Add 2FA using:
-> OTP apps (Google / MS Authenticator etc)
-> Security keys
- Hardware-based
- LC mobile app-based
- Phone-based (iCloud / Google account)
- Trusted device-based (such as a Mac / PC - Google, Stripe, etc all do this)
Remove Email & Text OTP
D
Damien Harrison
Rather than simple MFA an option should exist to use SSO providers such as Microsoft or Google allowing use of conditional access policies etc.
M
Marcus Sutherland
Any progress on this at all? This is a critical security issue and should be resolved. No proper 2FA in 2024 is just...... It should be required for every user and login, as the system contains sensitive information such as names, addresses, payment details... etc.. Please prioritise.
J
Jared Fu
As a digital agency working with multiple clients, security is a top priority for us. Implementing Two-Factor Authentication (2FA) across both agency and sub-accounts in GoHighLevel is crucial for several reasons:
We handle sensitive client data, including personal information, campaign details, and performance metrics. 2FA provides an added layer of security that helps prevent unauthorized access, ensuring that our clients' data remains secure.
Many industries are governed by strict data protection regulations. By offering 2FA, GoHighLevel can help agencies like ours comply with these regulations and avoid potential penalties.
Cyberattacks, including phishing and credential stuffing, are on the rise. 2FA makes it significantly harder for malicious actors to gain access to our accounts, reducing the risk of data breaches.
Security breaches can severely damage an agency's reputation. By implementing 2FA, GoHighLevel would demonstrate a commitment to security, helping agencies build and maintain trust with their clients.
With multiple team members and clients accessing GoHighLevel, enforcing 2FA helps ensure that everyone adheres to the same high security standards, reducing the likelihood of weak points in the system.
To maximize the effectiveness of 2FA, I recommend GoHighLevel support popular authentication apps like Google Authenticator, Authy, and Microsoft Authenticator. These apps are widely used and trusted, offering a convenient and secure way to manage 2FA codes. By integrating with these apps, GoHighLevel can provide users with a reliable and flexible solution for securing their accounts.
Given the importance of security in our industry, I strongly urge GoHighLevel to prioritize the implementation of 2FA with support for these authentication apps across all accounts. This feature would not only enhance security but also position GoHighLevel as a leader in protecting its users' data.
D
David Lee
For the love of all things holy, please add authenticator app support. 2FA by email is painful, and the web interface is poorly coded as it refreshes the 2FA input screen making you think you have to do it again, when it's just a delay.
The question for HighLevel is whether or not this is going to make a revenue difference, and the answer is yes. Greater satisfaction and ease of use makes for happier clients and good word-of-mouth.
Email 2FA is also far more susceptible to being hacked, and that never ends well for anyone (and negatively impacts revenue).
Thank you!
Load More
→