I appreciate the security you're trying to put behind people logging into their dashboards and mobile apps, but I think a more modern 2-factor approach would be at least including options for Google Authenticator, or SMS code delivery.
Just my .02
|Multi-Factor Authentication is now available for all SimpliSafe accounts. Learn more here.|
4 years ago
Industry standards for sensitive data such as banking and email are rapidly moving towards general support for 2 Factor Authentication, at least by text, and ideally by a password generator app (which is more secure). Ideally, I would like the ability to use a Yubikey or similar device to authenticate myself, and to have access to a login history list for the website with timestamps and IPs.
It's worth noting that these features can only benefit Simplisafe too, in the event of a data breach of user passwords from their system. I'm sure your information security team knows that this is likely to occur at some point, and having 2FA in place would potentially prevent access before the breach is discovered. Or a criminal may gain access to an online account by trying top-500 passwords or a password that was exposed in a prior data breach.
Lastly, it's worth noting that there is even less security on the mobile application, since the standard usage is to leave the app user logged in at all times. Login timeouts would be a helpful feature, or at least the ability to require that the app is unlocked with a fingerprint scan before each use. At present, it would be very easy for a stolen phone to grant access to all the functionality mentioned above. Or an intruder could disarm the alarm if they grabbed a user's phone during a break-in.
3 years ago
3 years ago
2 years ago
Please consider giving us a proper multi-factor authentication option and not just the current text based option. While having MFA via text is arguably better than nothing it's not much better than nothing and may in fact give a false sense of security since it's (relatively) easy to compromise compared to other options.
Supporting something like the Google Authenticator or similar OTP system would be greatly preferred if at all possible. It also works so long as you have your phone and isn't dependent on being able to receive an SMS or even having network connectivity on your phone.