J

Sat, Aug 21, 2021 9:29 PM

Closed

Need multiple app logins

Why is there no way to create a login for my family without giving them the master account ?  Every major alarm company I've used had this feature and I mistakenly assumed SimpliSafe would have something similar.

This conversation has been merged. Please refer the main conversation:

Multiple Users

Official Solution

Community Admin

 • 

3.2K Messages

Il y a 1 a

Hi castewa88 et al,

There is a little bit of a workaround for that particular MFA issue, in that you can actually set multiple phone numbers to receive the confirmation texts. So whenever anyone tries to log in, everyone gets notified.

And yep, we've had quite a few requests about multi-user logins. I definitely forward all your requests, and the more of them there are, the higher priority it becomes to our dev team. So keep 'em coming!

As for that duress scenario - unless you're in a scenario where an intruder would be watching you closely for a whole, they wouldn't necessarily know that you normally use the app to disarm your system. So you could still use the Duress PIN via your Keypad.
However, duress via app is another great idea.

(edited)

3 Messages

@davey_d​ consider this an additional request for this feature. A security company expecting me to share my username and password - even with my partner - makes me wonder how you treat my data in your servers. 

2 Messages

Yes we have it at work, and we want each manager with their own pin and login instead of sharing. I was disappointed we only figured that out after installation. 

2 Messages

@davey_d​  Add me to the list...  We installed SimpliSafe in our shop and there are multiple managers / owners that would like to have access to the app.  We also recently installed a Rachio irrigation controller.  Very happy with the way this works, would like SimpliSafe to work in a similar way where each person has their own account and multiple accounts can control a system.

The one user / one system model is relatively antiquated.

(edited)

1.3K Messages

Il y a 1 a

Personally, I don't have a problem with it because I know nobody will mess with anything except arm/disarm. But, certainly, others like yourself voice concern.

This has been a longstanding request with no indication if or when it will ever be addressed. So, much as SS works for me, if this is a showstopper for you then returning the system is, unfortunately, your only real option unless you're willing to live with it this way indefinitely.

22 Messages

Il y a 1 a

The recent addition of 2FA (which is a good thing) has surfaced even another need to support multiple accounts.  My family members are constantly frustrated by getting logged out by the app.  Maybe it only happens once every 30 days per person, but it sure seems more often than that.  In any case, they always need my help to get signed back in because I receive the 2FA code during sign in.  This issue is one of my 3 main gripes with SimpliSafe.  I've been a customer for about a year.

A second complaint is smart locks that too often get stuck in a state of "not responding".  (I've tried tons of replacements.  None of them have fixed the issue.)

The third, and biggest security gap in my opinion, is that the app does not require a PIN to take actions on your system.  Imagine the bad guy who meets your wife in the carport when she gets home and forces her to use the app to disarm the system.  Or the person who breaks into your house and forces a system disarm via the app.  No chance to use the duress code, because there's no system PIN required.  The SimplieSafe app could be used to circumvent needed security in lots of similar and scary scenarios.  (You can configure the app to use a PIN, but that's not the same thing.)  I'm shocked that this security hole exists in the system and no one seems to care.

22 Messages

Il y a 1 a

Thanks Johnny M for the tip re: multiple phone numbers for 2FA texts.  I did not realize that was an option.  Having multiple account logins is nonetheless still a long requested feature in these threads and one that it sounds like other companies offer.  Hopefully the dev team really is aware of that and is working on this much needed and often requested feature.

I think you miss the point about the app not requiring a PIN.  It's reasonable to think that a "bad guy" can know enough about SimplieSafe to know that the system can be disarmed using the app regardless of whether the person normally uses the app to disarm the system.  And it's certainly reasonable to assume that most anyone who has SimplieSafe likely uses the app.  All that bad guy then has to know is that using the app will disarm the system without a PIN thereby bypass the victim's opportunity to use the duress PIN.  With that basic, or at least pretty easy to learn, knowledge, a perpetrator could catch any SimplieSafe user before the system is disarmed (whether indoors or outdoors) and force them to disarm the system via the app.  The alarm ends normally before the end of the entry delay.  The bad guy wins.

1.3K Messages

Il y a 1 a

The problem I see with mobile app Duress PIN is that you can be practically anywhere in the world and trigger it, yet the authorities know only the monitored address. Are you there? It's pretty much a given with the keypad or fob; not so much with the mobile app. If it's doubling as a panic button, per se, it does no good away from home.

If somone has done enough due dilligence to stake you out and try the scenario previously described, it seems plausible they are also smart enough to force the disarm remotely while a partner in crime stakes out the property. If you "disarm" and the cops show up, they just hang back until then scene clears then do their dirty work.

It's easy to daisy chain a bunch of "what ifs" into a worst case scenario, and there are any number of ways security systems can be defeated. The key difference between possibility and probablility.

22 Messages

Il y a 1 a

Someone wouldn't necessarily have to "watch you for a while" or "stake you out" to know that you count on SimpliSafe to secure your home.  Many people put signs in their yard.  If a bad guy were looking for a target where they could exploit this flaw in the security system, that sign might be a place to start.  In the case of domestic disputes the attacker may be familiar with the victims home without having to for do their "due diligence".  The scenario of someone being away from home and at that time deciding to disarm their system with the duress PIN is also a what if scenario, but its a scenario where the outcome is likely less severe than scenarios where you have been confronted at home by someone who is wishing you harm.  As I said when I brought this up, I'm shocked that this security hole exists in the system ***and no one seems to care***.  But, I reckon it is what it is.

1.3K Messages

Il y a 1 a

Oh, I get it. Our worst fears always play out in "what if" scenarios designed to that end.

Don't get me wrong, if SS can add it I got no problem with that. I just don't share the same "big hole security flaw" sentiment in the grand scheme of SimpliSafe system.

Community Admin

 • 

3.2K Messages

Il y a 1 a

Yep, I agree with whoaru99.

The original intention of Panic-type alarms (including the Duress signal) is for when someone is on the premises and needs help immediately. So that would be what's relayed to our Dispatch team, and their protocol accounts for that.

But as I mentioned, I'm still passing this on to our devs. If there's a solution that's possible, someone way smarter than me in the engineering team can figure it out!

(edited)

22 Messages

Il y a 1 a

"The original intention of Panic-type alarms (including the Duress signal) is for when someone is on the premises and needs help immediately. So that would be what's relayed to our Dispatch team, and their protocol accounts for that."


It sounds like we agree that the intent of the duress signal is to be usable when a person is on premises and needs help immediately.  My opinion (which seems to be in the minority) is that is a bad thing if the ability to use that duress signal during an on premises attack can be circumvented due to lack of controls within the app.  Security is built on layers.  The system PIN layer is missing from the app.

Thankfully our worst fears don't always play out.  For the most part we buy security systems as a deterrent to perpetrators and/or to give peace of mind that a home (and the people in it) are protected.  Most of us will only deal with false alarms and never deal with live alarms.  Most people without security systems will never really be victims of an attack that the system could or would have prevented or mitigated.  But, the system adds a layer of security to our homes.  When you are aware of what seems to be a design flaw in the system you use, or you are aware of ways that your system's security could be negated by someone who knew just a little about that system (and not necessarily much about you or your habits), this becomes a concern and can remove a bit of the "peace of mind" that comes from a secure system.  I would think that this is something that would have a shared importance among us who are customers and somewhat "fans" of SimpliSafe.

Incidentally, adding the system PIN layer of security to the app could play a role in the lack of multiple logins which was the original topic of this thread.  If the system/general/device settings were only available when you logged into the app with the master PIN, then there would probably be fewer complaints about the inability for family members to have separate logins.  Having separate logins would be best, but given how long that hasn't happened most of us aren't expecting those logins to be an option any time soon.  But, in order to access those settings from the keypad you must enter the master PIN.  Wouldn't it make sense for the app to behave the same way?

141 Messages

Il y a 1 a

Separate logins makes too much sense..... it will take Simplisafe another 5-10 years to implement it.... it ever.... sad, really....

1.3K Messages

Il y a 1 a

I'll again put out this concept...

You willingly give someone the possibility to totally disarm your security system, but worry that they're going to change some device settings or account information? If they are that untrustworthy or irresponsible I question the decision to give them ability to use the app at all.

Again, if SS can implement it fine, cool, awesome; whatever. But, considering you've already handed over complete disarm capability, it seems like sometimes the focus on granularity obscures the big picture.

Advocate

 • 

422 Messages

Il y a 1 a

There are people I trust to get packages into my house or look after pets but that doesn't mean I want to give them the option to use the full power of the app to remove devices entirely, change service, change other peoples PINs, remotely monitor my cameras, etc.   It's similar to how there are people I will hand my credit card to so they can pay for my beers at the bar or run out to the store for me to get supplies but I'm not giving them full access to my banking app (and neither would you) or my stock account.

This is just "Principle of Least Privilege" which is extraordinarily common in businesses large and small across the globe. It is considered part of best security practices. It's extremely reasonable to ask that the company providing physical security and monitoring also provide good security on the digital front as well.

1.3K Messages

Il y a 1 a

That's exactly my point. I don't give the app to anyone I don't implictly trust. All others can use the key pad or call me/text me if it needs to be disarmed.

141 Messages

Il y a 1 a

There are probably parents who would want their CHILD to have access to the app but not have access to all the settings and other info within.

yes they can use the keypad... but why?  why not allow a separate log in so that a KID could have access?

I can't believe it's that hard... simplisafe just takes years to implement REASONABLE requests.... is ever....

1.3K Messages

Il y a 1 a

Clearly there are those who think any number of people should have the ability to remotely turn off their system.

Going back to the Principle of Least Privilege (PoLP), it occurs to me far fewer people should have the app in the first place than do because they don't actually need it. #1 of PoLP: If a subject does not need an access right, the subject should not have that right.

The biggest "access right" of all is turning off your security system.

Again, to be clear, if SS can implement, great, whatever; no skin off my arse. But, I think handing out remote disarm, regardless of blocking other access rights, violates the tenent of PoLP.