Email OTP verification coming to Autodesk!

stephen_ch_yuen · ‎02-07-2025

Regional Rollout of One-Time Passcode via Email for All Autodesk Customers Begins April 2, 2025

We are committed to ensuring the security of Autodesk customer accounts. As part of this commitment, we will implement a one-time passcode (OTP) verification via email for all Autodesk customers starting April 2, 2025. Using OTP is a form of multi-factor authentication (MFA) that provides extra security for your Autodesk accounts and deters unauthorized access.

What to Expect: Starting April 2, we will begin our rollout of the enhanced email OTP workflow. This rollout will be conducted gradually, region by region. Once we enable this feature in your region and unless you otherwise have SSO or MFA enabled, you will need to use it as part of the verification process to access Autodesk products. Upon entering your username and password, you will receive an OTP via email, which you must provide to complete the verification process.

Key Details:

Rollout Period: Starting April 2, 2025, we will gradually roll out the feature across accounts on a region-by-region basis. Stay tuned for the specific rollout schedule for your region.

No Change for Existing MFA or SSO Users: If you are already using Multi-Factor Authentication (MFA) or have Single Sign-On (SSO) enabled, you will not experience any changes.

Thank you for your cooperation and commitment to maintaining the security of your Autodesk accounts.

Additional Information

Why use Multi-Factor Authentication (MFA)?  Security threats are increasing and becoming more sophisticated, making robust protection more critical than ever. As companies in the make and design industries, including Autodesk, rely more on digital infrastructure, protecting sensitive data and maintaining system integrity becomes paramount. Enforcing MFA is an effective way to enhance security.

Email OTP verification Email OTP verification is one of the many strategies used in MFA. With this method, after you enter your password, we send an OTP to your registered email address. You must enter this OTP to complete the login process. This adds an additional layer of security because even if someone knows your password, they would also need access to your email account to obtain the OTP.

What’s in it for me? Here’s why we at Autodesk are enabling email OTP, as a form of MFA, and why this will benefit you, as a customer:

Enhanced security We are enforcing MFA to bolster security. Traditional single-factor authentication, typically a username and password, is no longer sufficient to protect against modern cyber threats. MFA requires you to provide two or more verification factors to gain access to accounts or system. These factors include something you know (password), something you have (a smartphone or hardware token), and something you are (biometric verification). This multi-layered approach significantly reduces the risk of unauthorized access, even if one factor is compromised.
Protection against intellectual property theft Phishing attacks, data breaches, and other forms of credential theft are common threats that can lead to unauthorized access. In the make and design industries, the theft of intellectual property can have severe consequences. MFA provides an additional layer of security, making it much harder for attackers to gain access to accounts, even if they manage to steal passwords. By enforcing MFA, we can mitigate the risk of credential-based attacks and better protect your valuable designs and innovations.

Compliance with industry standards Many industries must implement strong security measures, such as MFA, due to regulatory requirements. By enforcing MFA, Autodesk ensures compliance with best security practices and regulatory guidelines.

Increased client trust Clients in the make and design industries are increasingly aware of security risks and are prioritizing their digital safety. By implementing MFA, Autodesk demonstrates its commitment to protecting client data, which enhances trust and loyalty.

Mitigation of account takeovers Account takeovers can have severe consequences, including financial loss, data breaches, and reputational damage. MFA provides an effective defense against these attacks by requiring multiple forms of verification. Even if an attacker obtains your password, they still need the additional authentication factors to gain access. This significantly reduces the likelihood of account takeovers and unauthorized access to confidential data.

Adaptability to emerging threats MFA is a dynamic and flexible solution that we can update and strengthen as new threats emerge. Autodesk can implement various MFA methods, such as email-based verification, mobile authenticator apps, or biometric authentication, to stay resilient against evolving attack vectors.

Frequently Asked Questions (FAQ)

Q: What is Multi-Factor Authentication (MFA)? 

A: Multi-Factor Authentication (MFA) is a security measure that requires you to provide two or more verification factors to gain access to accounts or system. These factors typically include something you know (password), something you have (a smartphone or hardware token), and something you are (biometric verification).

Q: Why is MFA important for customers in the make and design industries? 

A: MFA is crucial for protecting confidential data and intellectual property in the make and design industries. It provides an additional layer of security, reduces risk of unauthorized access and mitigates the impact of credential theft.

Q: How does MFA help in complying with industry standards? 

A: MFA helps Autodesk and customers comply with industry regulations and standards that mandate strong data protection practices.

Q: What are some common methods of implementing MFA? 

A: Common methods of implementing MFA include email-based verification, mobile authenticator apps, hardware tokens, and biometric authentication (e.g., fingerprint or facial recognition).

Q: How does MFA protect against phishing attacks? 

A: MFA adds an extra layer of security by requiring multiple forms of verification. Even if you fall victim to a phishing attack and your password is compromised, the attacker would still need the additional authentication factors to gain access, making it much harder to succeed.

Q: What are some best practices for implementing MFA? 

A: Best practices for implementing MFA include:

Using a combination of verification factors: Ensure you use something you know (password), something you have (hardware token or smartphone), and something you are (biometric verification).

Regularly updating authentication methods: Keep your authentication methods up-to-date to counteract emerging threats.

Educating users about security practices: Inform users about the importance of MFA and how to use it effectively.

Monitoring for suspicious activity: Continuously monitor account activity for any unusual or suspicious behavior.

Enforcing strong password policies: Ensure users create strong, unique passwords that are changed regularly.

Implementing single sign-on (SSO) with MFA: Simplify the user experience while maintaining security by integrating MFA with SSO solutions.

Providing backup authentication methods: Offer alternative authentication options in case the primary method is unavailable.

Regularly reviewing and auditing MFA policies: Conduct periodic reviews to ensure MFA policies are effective and up-to-date.

Encouraging the use of hardware tokens: Hardware tokens can provide a more secure form of MFA compared to software-based solutions.
Ensuring secure storage of recovery codes: Advise users to store recovery codes in a secure location, separate from their devices.

Curtis_Waguespack · ‎02-07-2025

@stephen_ch_yuen

Your links do not work

Idea: Capture iLogic Drawing Annotation Code Directly from Object

stephen_ch_yuen · ‎02-07-2025

Thanks Curtis. Updated section into content instead.

ChrisRS · ‎02-07-2025

Thank you for the advanced notice.

Christopher Stevens
Did you find this post helpful? Feel free to Like this post.
Did your question get successfully answered? Then click on the ACCEPT SOLUTION button.

silvio3105 · ‎02-12-2025

2FA/OTP from phone apps(MS, Google etc..) will be available?

stephen_ch_yuen · ‎02-12-2025

Correct. All users who do not currently have SSO/MFA enabled, will be required to use the enhanced verification workflow on cloud, desktop, and mobile applications.

ktnalive · ‎02-13-2025

Thanks,

Kim.

ParishSouthBdx · ‎02-14-2025

I find it interesting that customers/users folks logging in are held to some rigid access procedures like the ones described here. when truth be told the unauthorized access or hacking doesnt happen from the log in page, or from our side, its from the other side. Breaches of data are almost common place now. Not specificlly Autodesk, but other vendors, AMAZON, BANKING,,,,

Michiel.Valcke · ‎02-17-2025

What is the order of regions where the rollout will take effect?

And will the email verification be necessary with each login?

tcorey · ‎02-17-2025

I know little about security so my question might be naive. Why can't you use text like so many other companies do? Or give us the choice.

Tim Corey
MicroCAD Training and Consulting, Inc.
Redding, CA
Autodesk Gold Reseller

New knowledge is the most valuable commodity on earth. -- Kurt Vonnegut

Michiel.Valcke · ‎02-17-2025

~~You can choose that option if you set up 2 factor authentication yourself, the measure is for people who have not set up 2-factor authentication.~~

@tcorey I apologize, I just tried it myself and apparently the authenticator app is the only option atm?

stephen_ch_yuen · ‎02-17-2025

Valid point @ParishSouthBdx. MFA (including OTP) still can be part of a comprehensive security strategy. While we cannot prevent against all type of security breaches, we believe MFA is a crucial part of a multi-layered security approach that helps protect against a wide range of threats. It's not about burdening users with rigid access procedures but rather about safeguarding their data and maintaining the integrity of the systems they rely on.

stephen_ch_yuen · ‎02-17-2025

Please reach out via https://www.autodesk.com/support/contact-support

stephen_ch_yuen · ‎02-17-2025

We will confirm the regional rollout schedule in March. Stay tuned.

Existing users who already have SSO/MFA set up can continue to use these methods even after the feature is enabled. For those who do not, we offer email OTP verification or verification via an authenticator app as options. We plan to expand to other MFA options in future feature releases.

dsummersPEG · ‎02-20-2025

Will we be required to go through the OTP email exercise each time we start/restart an Autodesk software product on our computer? I admit my confusion over the "one-time" part of "one-time passcode"; it may have multiple interpretations. Is it one-time use, or one-time required? I don't normally keep Autocad and Revit open simultaneously, and bounce back and forth between the two frequently, and not looking forward to waiting on emails each time I want to swap. So an additional question: will this cause issues if we do run multiple Autodesk products simultaneously? By that I mean both multiple instances on the same computer of the same product (like 2 instances of Autocad), and running both Autocad and Revit on the same computer.

stephen_ch_yuen · ‎02-20-2025

Thank you for your comment @dsummersPEG.

When you log in to your account, you will receive a one-time password (OTP) sent to your registered email. This OTP is valid for a short period and must be used before it expires. If the OTP expires, you will need to request a new one. The OTP is required only when logging in from a device that the system does not recognize. After entering your username, password, and OTP successfully, you can choose to remember the device or stay signed in for a certain period. This means you won't need to enter the OTP again for future logins on the same device within that period.

If you log in from a different device that the system doesn't recognize, you will be prompted to enter a new OTP. Once verified, you can choose to trust this new device, and the same rules will apply.

In summary, the OTP adds an extra layer of security, especially when accessing your account from new or unrecognized devices.

Hope this is helpful.

AllenJessup · ‎02-27-2025

This doesn't apply to me. But, I remember issues from previous license changes. Is there any thought being put to users that have to work out of contact with internet services or those working in disaster areas where cell phone services have been disrupted?

Allen Jessup
CAD Manager - Designer
Did you find this post helpful? Feel free to Like this post.
Did your question get successfully answered? Then click on the ACCEPT SOLUTION button.

pendean · ‎02-27-2025

@AllenJessup Pre-planning and seeking out Autodesk Licensing 'special needs' need to be planned for ahead of time. For everyone else, I suspect Starlink (and others soon enough) is a modern solution and is good enough to use once a month for your laptop to call home for a license check before letting you work remotely again.

SO... If you have power (aka electricity), today's excuses for no internet access have been reduced dramatically.

AllenJessup · ‎02-27-2025

@pendean Understood. And for the once a month check in I'm sure that would be fine. However I could see having to get an email every time you open a program may cause some people an issue. I've never used Starlink so I have no idea how it may perform worldwide.

Heck. Our MFA service went out for over half a day. After an hour or so IT had to disable it so people could log in to there computers. The week before our phones (VOIP) went down for a couple of hours. Those who only had MFA through their office phones were locked out.

Allen Jessup
CAD Manager - Designer
Did you find this post helpful? Feel free to Like this post.
Did your question get successfully answered? Then click on the ACCEPT SOLUTION button.

pendean · ‎02-27-2025

@AllenJessup wrote:

... Those who only had MFA through their office phones were locked out.

Yes, and probably related to the recent push by Autodesk to offer email OTP instead: other software vendors have it, its not limited to phone numbers, and I am a total fan.