3 Messages
Feature Request: 2 Factor Authentication and Improved App Security
While I'm pleased with the Simplisafe system overall, I wish that as much attention was paid to digital security as physical security. The Simplisafe website allows access to disarm any component, change billing information, view camera feeds in my home, and remove any component, yet it is only protected by a password. The video from my camera could potentially be used to blackmail me (in the same way that hacked webcam video is), and a sophisticated burglar could easily profit from disabling my alarm remotely, then taking advantage of my false sense of security.
Industry standards for sensitive data such as banking and email are rapidly moving towards general support for 2 Factor Authentication, at least by text, and ideally by a password generator app (which is more secure). Ideally, I would like the ability to use a Yubikey or similar device to authenticate myself, and to have access to a login history list for the website with timestamps and IPs.
It's worth noting that these features can only benefit Simplisafe too, in the event of a data breach of user passwords from their system. I'm sure your information security team knows that this is likely to occur at some point, and having 2FA in place would potentially prevent access before the breach is discovered. Or a criminal may gain access to an online account by trying top-500 passwords or a password that was exposed in a prior data breach.
Lastly, it's worth noting that there is even less security on the mobile application, since the standard usage is to leave the app user logged in at all times. Login timeouts would be a helpful feature, or at least the ability to require that the app is unlocked with a fingerprint scan before each use. At present, it would be very easy for a stolen phone to grant access to all the functionality mentioned above. Or an intruder could disarm the alarm if they grabbed a user's phone during a break-in.
Industry standards for sensitive data such as banking and email are rapidly moving towards general support for 2 Factor Authentication, at least by text, and ideally by a password generator app (which is more secure). Ideally, I would like the ability to use a Yubikey or similar device to authenticate myself, and to have access to a login history list for the website with timestamps and IPs.
It's worth noting that these features can only benefit Simplisafe too, in the event of a data breach of user passwords from their system. I'm sure your information security team knows that this is likely to occur at some point, and having 2FA in place would potentially prevent access before the breach is discovered. Or a criminal may gain access to an online account by trying top-500 passwords or a password that was exposed in a prior data breach.
Lastly, it's worth noting that there is even less security on the mobile application, since the standard usage is to leave the app user logged in at all times. Login timeouts would be a helpful feature, or at least the ability to require that the app is unlocked with a fingerprint scan before each use. At present, it would be very easy for a stolen phone to grant access to all the functionality mentioned above. Or an intruder could disarm the alarm if they grabbed a user's phone during a break-in.
general_kaos
764 Messages
6 years ago
As for your solution of the Yubikey, I don't know anything about it, including price, but requiring additional hardware by the user will increase the complaints (LESS than a data breach), not to mention the cost (dollars and time) for SS to build in the support for such a device in the backend system.
0
0
yelledsokiema
2 Messages
6 years ago
For this discussion, losing things is outside of the scope of concern. Financially speaking, home insurance can cover losses for the replaceable items, but you're SOL for sentimental items. The main concern is that someone is able to completely control your alarm and watch your video remotely and without setting foot in your house. There are numerous videos on youtube with homeowners talking to people who hacked their video doorbells (ring or nest). The alarm system is just a one-way: the attacker can blare your alarm and you have no idea who's doing it (some kid who's playing with your phone and doesn't know what it does or an attacker).
In any case, this is a massive issue for those in and outside the house when such an event occurs. This is for the engineers: it's important to consider that not everyone wants to be watched or harassed with an alarm. I honestly cannot believe a product was released without any apparent consideration of use cases and security issues that may arise from a lack of due diligence.
0
0
monkeyseemonkeydo
2 Messages
6 years ago
Really great explanation from yelledsokiema on the reasons why...
0
0
sh2402
264 Messages
6 years ago
0
0
coltmaster1
2.8K Messages
6 years ago
We are in an era where hacking, phishing, brute force attacks and DOS attacks are the "new normal", and where everything about you is sold to the highest bidder, whether another company or an underground hive of scum. I, for one, am sick and tired of businesses not taking website security and data security seriously.
0
0
everett_23
2 Messages
5 years ago
0
0
keropi
24 Messages
5 years ago
0
0
05windbreaker
2 Messages
3 years ago
my account has been hacked and the hacker has all my info and i need the 2fa system to be activated so i can block them out and get everyone out of my email. can anyone help me?
1
0