‎2-Factor Authentication | SimpliSafe Support Home
 
B

Saturday, June 20th, 2020 12:14 PM

Implemented

0

2-Factor Authentication

I appreciate the security you're trying to put behind people logging into their dashboards and mobile apps, but I think a more modern 2-factor approach would be at least including options for Google Authenticator, or SMS code delivery.

Just my .02

Multi-Factor Authentication is now available for all SimpliSafe accounts. Learn more here.

3 Messages

5 years ago

While I'm pleased with the Simplisafe system overall, I wish that as much attention was paid to digital security as physical security. The Simplisafe website allows access to disarm any component, change billing information, view camera feeds in my home, and remove any component, yet it is only protected by a password. The video from my camera could potentially be used to blackmail me (in the same way that hacked webcam video is), and a sophisticated burglar could easily profit from disabling my alarm remotely, then taking advantage of my false sense of security.

Industry standards for sensitive data such as banking and email are rapidly moving towards general support for 2 Factor Authentication, at least by text, and ideally by a password generator app (which is more secure). Ideally, I would like the ability to use a Yubikey or similar device to authenticate myself, and to have access to a login history list for the website with timestamps and IPs.

It's worth noting that these features can only benefit Simplisafe too, in the event of a data breach of user passwords from their system. I'm sure your information security team knows that this is likely to occur at some point, and having 2FA in place would potentially prevent access before the breach is discovered. Or a criminal may gain access to an online account by trying top-500 passwords or a password that was exposed in a prior data breach.

Lastly, it's worth noting that there is even less security on the mobile application, since the standard usage is to leave the app user logged in at all times. Login timeouts would be a helpful feature, or at least the ability to require that the app is unlocked with a fingerprint scan before each use. At present, it would be very easy for a stolen phone to grant access to all the functionality mentioned above. Or an intruder could disarm the alarm if they grabbed a user's phone during a break-in.
Note: This comment was created from a merged conversation originally titled Feature Request: 2 Factor Authentication and Improved App Security

764 Messages

@farragut0977 - in my case, I am not convinced 2FA is required vs nice to have.  I don't have any indoor cameras (yet), so I see some risk if my account is compromised.  I have a SS to keep the "stupid criminals" out of the house.  The smart criminals aren't (in my (not so) humble opinion) going to be stopped by a SS system.  I am not looking to give away what I have, but understand I could loose some "stuff."

As for your solution of the Yubikey, I don't know anything about it, including price, but requiring additional hardware by the user will increase the complaints (LESS than a data breach), not to mention the cost (dollars and time) for SS to build in the support for such a device in the backend system.

2 Messages

A great use case for having 2FA is if your account is compromised and the alarm is turned on and off in the middle of the night. For a home security company, this is absolutely negligent on their part.

For this discussion, losing things is outside of the scope of concern. Financially speaking, home insurance can cover losses for the replaceable items, but you're SOL for sentimental items. The main concern is that someone is able to completely control your alarm and watch your video remotely and without setting foot in your house. There are numerous videos on youtube with homeowners talking to people who hacked their video doorbells (ring or nest). The alarm system is just a one-way: the attacker can blare your alarm and you have no idea who's doing it (some kid who's playing with your phone and doesn't know what it does or an attacker).

In any case, this is a massive issue for those in and outside the house when such an event occurs. This is for the engineers: it's important to consider that not everyone wants to be watched or harassed with an alarm. I honestly cannot believe a product was released without any apparent consideration of use cases and security issues that may arise from a lack of due diligence.
For a security engineering business, 2FA should absolutely be one of the features built into the system, at the very least for web login. Whether an individual uses it or not is down to them, but no reason not to. Yubikey or FIDO would be great, but TOTP at the very least. It's free for users, and minimal to implement for Simplisafe...

Really great explanation from yelledsokiema on the reasons why...

263 Messages

I understand the 2FA as an added security measure but how many sites do you visit a day without it. The online account connection is encrypted before it is sent over the internet.

2.8K Messages

^ any website that contains personal identifying information, and those who also sell your PII to third parties, should be doing 2FA, there is no excuse not to. (yes, users can opt out).

We are in an era where hacking, phishing, brute force attacks and DOS attacks are the "new normal", and where everything about you is sold to the highest bidder, whether another company or an underground hive of scum.  I, for one, am sick and tired of businesses not taking website security and data security seriously.

Captain

 • 

5.9K Messages

4 years ago

@BrianDaniel many services. like Ally Bank and Amazon, do go the extra mile with security without specifically using 2FA with "trusted devices".  SS does the 2FA once with your browser and device and once confirmed, you're done.  Clear out your cookies and you will have to revalidate via email.

2.8K Messages

4 years ago

Captain, I'm still having to re-validate, every single time.  I rarely even log into the control panel anymore because after (months ago) days and days and days of "did ya do this, did ya do that, oh well we can't replicate that on our end, it must be your problem", I've stopped caring anymore.  It really is an obnoxious 2FA, and it doesn't work properly for everyone.

701 Messages

3 years ago

@SS,

Please consider giving us a proper multi-factor authentication option and not just the current text based option. While having MFA via text is arguably better than nothing it's not much better than nothing and may in fact give a false sense of security since it's (relatively) easy to compromise compared to other options.

Supporting something like the Google Authenticator or similar OTP system would be greatly preferred if at all possible. It also works so long as you have your phone and isn't dependent on being able to receive an SMS or even having network connectivity on your phone.
Note: This comment was created from a merged conversation originally titled Suggestion - Give Us A Proper MFA Option (Text Doesn't Cut It)

Captain

 • 

5.9K Messages

@Worthing you got my vote for Google Authenticator, but there are other things I would rank higher for SS to work on. As posted in other threads, the ability for SS3 to pass an "alarm state flag" to digital assistants so they can be used for routines is my #1 ask. If SS3 alarms, I want Alexa to light up my house like a Christmas tree!

701 Messages

@Captain11,

This concept of, "no, do this other thing first!" isn't how a company the size of SImpliSafe works. They don't just pick a task and then dedicate the entire company (or even department) to implementing it. I guarantee within IT there are different groups that would work on the integration you're looking for and the security options I am asking for. It's not a zero sum game - one of us getting what we want here doesn't preclude the other person from getting what they want. :)

Community Admin

 • 

5.5K Messages

Worthing,

That is very true, though we are still a relatively small team so there really is a finite number of things we can work on all at once. As we continue to invest (in a really big way!) in expanding out engineering resources, we'll be able to tackle more and more initiatives.

- Johnny M.
SimpliSafe Home Security
Welcome to the SimpliSafe Community’s Product Requests and Suggestions! By posting in this section, you agree that you have read and agree to our Suggestion Submission Terms, Terms of Use, Privacy Policy, including any and all related terms and policies therein.

New to the Community? Get started by reading our Welcome Post.