Thanks for the suggestion @Allison Lempa!

At the moment, this is not something we are considering implementing natively. Because single sign-on (SSO) is included with all Guru plans, we recommend 2FA be implemented through your SSO provider for additional security.

I hope that is helpful context, but please let me know if you have any additional questions!

This is very unfortunate. There are a whole set of different challenges around SSO implementation which make it all the more difficult to collaborate with external parties. I know because I’ve done this many times in our organization. SSO is great if you are only using the platform internally, but when you also want to share externally using the domain allowlist you have built into your platform, have 2FA makes things work a lot more smoothly with external folks. Could you please re-consider your stance on this? It’s not hard to implement, and in fact even if we have the option to implement SSO, not everyone does, therefore by not having 2FA in your platform you might actually be increasing security risk by not implementing it. Happy to discuss in more detail anytime.

Thanks for sharing the specifics for your setup @DEREK ARSENAULT. I can see how the current option isn’t ideal for you. To offer some clarity, in this case the “Won’t Do” doesn’t necessarily mean that we’ll definitely never ever do this. Instead, it’s to show that at this point, we believe the SSO option works for most of our existing customers and prospects and we have no plans to add 2FA in the near term future. We didn’t leave the post as “Open” because it might have indicated that we don’t yet have a clear position on upcoming work related to this area, but I will update the status to “Open” in case others in the Community have similar use cases they would like to share. 

Thanks @Jon Saft please let me know if you would ever like to have a call to discuss. I can share more specifics on the use-cases / scenarios.

I feel like this should be a higher priority. It’s an easy implementation that will help increase security. We are soon making it a requirement that all applications need to have 2FA/MFA and I would hate to have to migrate away from a great platform because of something like this. SSO is not an option for everyone and the amount of industry information that gets put into our KB makes it very valuable for us to protect. 

Guru really excels with a lot of compliance & security aspects. It can easily create really simple documentation that is easily searchable and can require verification on certain time intervals. This is massive having such little friction on these features, which helps ensure the quality of the knowledgebase. 

It is mind blowing that simple MFA is not an existing feature in a product that ticks so many other boxes.

For reasons listed by others, SSO is not always a viable alternative. 

Lack of MFA is the sole reason we haven’t pursued creating any cards with anything even remotely sensitive, and not currently considering the paid version. We are beginning the process of investigating alternative vendors, which is unfortunate given how familiar I am with Guru, and otherwise very happy with the product.

Having just set up SSO, and learning how it works, this is way more inadequate than I realised.

You can’t enforce SSO on the Admin account. The Admin account, the most important account to be protected remains without MFA… How you managed a SOC II certification without MFA for administrator accounts is beyond me.

A breached admin account is going to compromise any Access Control Policy, as you can access all information, or edit permissions from the admin account and potentially make confidential information public. 

There is no documentation I can find on IP whitelisting (listed in your security features) which would at least help mitigate the lack of MFA by forcing log on from a trusted location, which mitigates external threats but not internal threats. I can’t tell if IP Whitelisting is in a premium tier or just genuinely doesn’t exist.

How are we supposed to accept that you take security seriously without allowing MFA for admin accounts?

I think it might be time for us to Leave Guru.  With the amount of Phishing attempts that happen every day, it’s just not worth staying on a program that can’t keep up with common security practices of the day.
 

You had so much potential Guru, but this seems like a huge miss on your part.