SMS 2FA Deprecation FAQ
Wait… what is happening?
Sentry no longer supports SMS/text message based two-factor authentication for user accounts.
Am I impacted?
If you do not already have SMS 2FA enrolled on your user account, you will not be able to enroll in it. You will need to use one of our other two-factor options.
If you are already enrolled in SMS 2FA on your user account, it will continue to work as expected. For example, you will still receive a message with your one-time passcode when logging into Sentry. However, if you delete your SMS 2FA configuration you will not be able to set it back up. You’ll need to use one of our other two-factor options.
What other 2FA options do I have?
Sentry currently supports 2FA via an authenticator app like Authy, Google Authenticator, 1Password, or any TOTP compatible application.
We also support 2FA via hardware keys compatible with U2F/FIDO like a Yubikey, Titan Security Key, or Apple’s TouchID (requires Google Chrome).
When will SMS 2FA be deprecated?
On August 12th, 2022.
What about self-hosted installs of Sentry?
SMS two-factor authentication on self-hosted installations of Sentry will still be available and enabled as an option for your users by default.
If administrators wish to disable SMS two-factor enrollment for users, set the sms.disallow-new-enrollments option to True in your config.yml.
To use SMS two-factor authentication on your self-hosted instance you will need a Twilio account and the appropriate configurations set in your config.yml. For more details on configuration options, refer to our documentation
Why are you deprecating SMS 2FA?
Two reasons:
- SMS is one of the weaker options for two-factor authentication. While it is better than nothing, we support stronger methods of 2FA more resistant to attacks.
- Sentry has seen a significant increase in SMS fraud. Keep an eye out on our blog! We will have an interesting write-up coming out soon!
