Hi,
Many customers are asking to enable two-factor authentication. It will be a very important security enhancement.
Thanks
21 Comments
Regarding to the comment:
The majority of our customers use a SSO provider to log in to Sisense
It's not true in our case. Almost all customers don't use SSO because they are using the tool for internal purposes only.
Best.
For dnata Travel insight platform which is both internal and external facing in light of recent security breach, we are guided by our intrenal security team to implement MFA and 90 day password expiry within the Travel Insight (sisense) product
Can you please advise on the timelines for this feature within Sisense?
2FA is not currently on the product roadmap. The majority of our customers use a SSO provider to log in to Sisense, and currently our resources are focused on other projects that will impact greater portions of our users.
Well, that was just being lazy and passing on the responsibility to the end user for keeping the data secure. As a service provider, do you not feel even a little bit responsible for the platform's security? Am happy that this is getting another look.
In light of the recent breach, I would hope that platform security will be a priority and this feature gets the attention it deserves. Like most of the folks above, a setup that allows enabling MFA per user or a group of users or for one or more roles or for all the org would be ideal but will take what we can get quickly enough.
Any updates on the roadmap status for this? Seems to be long time ago, there was a commitment to implementing it...
- Status changed:Needs Votes & CommentstoPlanned
Hi,
I’m happy to share that Two-Factor Authentication (2FA) is currently in active development and is planned for release in early 2026. (We will, of course, do our best to deliver it sooner if possible!)
I would like to share the major implementation concepts:
- Who is this for?
2FA will apply to native Sisense users only - those created in Sisense Admin and who log in with a Sisense username and password.
Active Directory (AD) or Single Sign-On (SSO) users will be excluded. This is intentional, as their authentication (including any MFA) is configured and managed by their external identity provider. - Where will it be available?
2FA will be available for both cloud and on-prem deployments, as long as an email server is configured for your instance. - What is the second factor?
The second factor will be a secure, one-time code sent to the user’s email.
Support for other methods (such as authenticator apps or SMS) is not planned at the moment. - How will I control the rollout?
This was a key part of your feedback. To ensure a smooth rollout and flexible control, we are implementing two levels of management:- System-Level Toggle: The master switch that enables or disables 2FA across your entire deployment.
- User-Level Configuration: Determines whether 2FA is required for an individual user.
Admins will be able to manage individual user configurations through a “Require Two-Factor Authentication” control in the Users list (GUI) or via the API.
The default value will be ON, allowing easy and secure enablement for the majority of users while still providing flexibility for exceptions (e.g., system, integration, or QA accounts).Hi Oleksandr,
Thanks for your update on this feature.
Firstly, I’m pleased to hear our feedback has been taken on board and this has been put into active development. I have two points to raise off the back of this:
Firstly, my opinion is using email as a second factor (and having this as the only option) is a half-baked approach to 2FA. There is a flaw with this approach, in that if a user’s email is compromised, the attacker can both reset the account password AND receive a 2FA token to the email. This ‘single weak point’ goes against the spirit of 2FA in my view. Granted, this is more secure than not having 2FA at all, but has this weakness been considered by the team? (https://www.identityserver.com/articles/the-dangers-of-considering-email-as-two-factor-authentication)
Secondly, I appreciate it’s early days but it would be good to understand more about the mechanics of the rollout – specifically with the ‘default on’ approach. I am in a bit of an unusual position in that we have several thousand users of our platform and the majority will not want to use 2FA. Will I be able to control the rollout of this so that users receive no communications / prompts to use 2FA unless I decide to turn it on? (I don’t want the update landing, users being asked to use 2FA, and then me later turning it off). In other words, will I be able to configure this before it ‘goes live’ and starts affecting users?
Thanks again for the update on this - Joseph
- Who is this for?
- Status changed:New IdeatoDeclined
Hello Everyone,
Thank you for all the feedback around two-factor authentication.
2FA is not currently on the product roadmap. The majority of our customers use a SSO provider to log in to Sisense, and currently our resources are focused on other projects that will impact greater portions of our users.
We may revisit this in the future though, so keep an eye out for it in the future.
Thank you,
- Status changed:DeclinedtoNeeds Votes & Comments
- Status changed:Needs Votes & CommentstoNeeds Info
- Status changed:Needs InfotoNeeds Votes & Comments
Hi,
You can see that CDT already had this feature in the tool's core.
https://dtdocs.sisense.com/article/two-factor
Best
Hi piyushrajput.
We appreciate your feedback, but please refrain from using insulting language.
