D

Mon, Feb 3, 2020 1:14 PM

Need for Log-in Security Option Setting

The Web "Masters' have created a silly new security check - they want to make certain that you are logging in from a recognized device. While "in theory' this all sounds good, let's take a look at how they implement the "device' recognition and then let's look at the circumstances under which customers might be using their web log-in.

1)     How is the device recognition implemented?  Answer: It appears to be BY COOKIES on the device - NOT BY A CENTRAL LOOK-UP ON THE MAC-ID OF THE DEVICE.
   a.     To implement this so-called device recognition a special email is sent to the account on file.  This can take up to several minutes, for the user to get the email (hold on to that thought for a moment, we will come back to this later)
   b.     On receiving the email, a link is activated - and all this link apparently does is SET A COOKIE on the local machine.
            i.     When logging in, if this cookie is seen, all is okay.
           ii.     HOWEVER, if you have cleared cookies, use a different browser (ON THE EXACT SAME MACHINE), etc., the entire process has to be repeated.
   c.     THUS WE SEE, that despite the assertion that it is establishing "device recognition', all that is really being done is a "cookie recognition'.  If this was really device recognition, the MAC-ID of the actual machine would have been queried, and stored on a central database at SimpliSafe, and then check at subsequent log-ins.  Such a real process would not be effected by clearing cookies and the like.


2)     Now consider how people might be using the web access: WHEN THEY ARE IN A PANIC, AFTER A FALSE ALARM HAS GONE OFF, AFTER ENTRY AND NEED TO CLEAR A CODE, ETC.     (and assume that the person  does not have access to the phone at this moment - and they are remote from the unit)
   a.     Under these circumstance consider how previously one could get access to their account QUICKLY.
   b.     Under these circumstance, now consider how the new process above works - access to the account could take minutes.  By this time emergency support will have been called out for the FALSE ALARM


3)     Conclusion:
   a.     By using the cookie method for machine recognition, SimpliSafe has created security theatre (the appearance of additional security) but no real security - because it is a cookie based system
   b.     By using a cookie method, the same machine will have to be recognized again and again AND AGAIN AND AGAIN ... forever ... each time the user clear cookies, etc.
   c.     By slowing down the users access to their account you have practically eliminated one way in which users can manage their accounts.
   d.     As of this writing there is no way for the user to choose to disable this feature.


4)     Go-forward suggestions:
   a.     Please enable a setting whereby the user might turn off this feature (similar to Google Account Log-in security - where the user has an option concerning such thing)
   b.     Please do REAL machine identification by getting the MAC-ID of the machine, recording that ID with the account, and then NO MATTER WHERE THAT MACHINE APPEARS, allow it access (even if the cookies have been reset the machine ID is still recognized)
   c.     Please write an article on how to user can manage to this silly cumbersome feature until SimpliSafe develops a better way.

Thank you.

1.2K Messages

Il y a 3 y

Plus the fact that Google has plans to end cookie support completely from Chrome.  This 'should' force SS to come up with a better plan in the hopefully near future.  For now, at least it's a step in the right direction.

Advocate

 • 

2.8K Messages

Il y a 3 y

Thank god, finally another user notices the issue ( mine is posted here: https://simplisafe.com/forum/customer-support-forum/installing-and-using-simplisafe/login-fails-endless-cycle-of-  ) - another user just posted today a similar issue with the webapp login.

Just curious, how did you determine it's a cookie issue - just by logging in with cookies accepted, and then again with them cleared or not accepted?