2-Factor Authentication

While I'm pleased with the Simplisafe system overall, I wish that as much attention was paid to digital security as physical security. The Simplisafe website allows access to disarm any component, change billing information, view camera feeds in my home, and remove any component, yet it is only protected by a password. The video from my camera could potentially be used to blackmail me (in the same way that hacked webcam video is), and a sophisticated burglar could easily profit from disabling my alarm remotely, then taking advantage of my false sense of security.

Industry standards for sensitive data such as banking and email are rapidly moving towards general support for 2 Factor Authentication, at least by text, and ideally by a password generator app (which is more secure). Ideally, I would like the ability to use a Yubikey or similar device to authenticate myself, and to have access to a login history list for the website with timestamps and IPs.

It's worth noting that these features can only benefit Simplisafe too, in the event of a data breach of user passwords from their system. I'm sure your information security team knows that this is likely to occur at some point, and having 2FA in place would potentially prevent access before the breach is discovered. Or a criminal may gain access to an online account by trying top-500 passwords or a password that was exposed in a prior data breach.

Lastly, it's worth noting that there is even less security on the mobile application, since the standard usage is to leave the app user logged in at all times. Login timeouts would be a helpful feature, or at least the ability to require that the app is unlocked with a fingerprint scan before each use. At present, it would be very easy for a stolen phone to grant access to all the functionality mentioned above. Or an intruder could disarm the alarm if they grabbed a user's phone during a break-in.

@BrianDaniel many services. like Ally Bank and Amazon, do go the extra mile with security without specifically using 2FA with "trusted devices".  SS does the 2FA once with your browser and device and once confirmed, you're done.  Clear out your cookies and you will have to revalidate via email.

Captain, I'm still having to re-validate, every single time.  I rarely even log into the control panel anymore because after (months ago) days and days and days of "did ya do this, did ya do that, oh well we can't replicate that on our end, it must be your problem", I've stopped caring anymore.  It really is an obnoxious 2FA, and it doesn't work properly for everyone.

@SS,

Please consider giving us a proper multi-factor authentication option and not just the current text based option. While having MFA via text is arguably better than nothing it's not much better than nothing and may in fact give a false sense of security since it's (relatively) easy to compromise compared to other options.

Supporting something like the Google Authenticator or similar OTP system would be greatly preferred if at all possible. It also works so long as you have your phone and isn't dependent on being able to receive an SMS or even having network connectivity on your phone.