dsmmrm's profile

Tue, Dec 28, 2021 2:40 PM

Simlisafe's multi factor authentication is the worst implementation of MFA I have ever seen.

I spent almost an hour and half this morning trying to get into SS on a computer. It defaulted to an email being sent to my address of record. That's fine but the email would not arrive before the login token expired. I had a fun little game of clicking refresh in my email client repeatedly hoping it would get the authorization email in time. Finally, it did and I was able to get into the app.

Then, I tried to chance the 2fa method to an sms text and, guess what, another game with the emails. It's not my email, I tried from a couple other accounts, IE: work, gmail, etc. and it was instantaneous. 

Fix it or turn it off. I have been a cybersecurity professional for 27 years and have set up MFA on many implementations on every OS out there. It is not supposed to deny access to the account holder.  I would think that should be obvious.

Community Admin

 • 

2.9K Messages

7 m ago

Hi there,

Yes, if you haven't set up MFA via SMS yet, then the only way to confirm your access is through the 2-step verification via email. So that's why email confirmation is required to set up MFA.

But obviously the extreme delay is very concerning. Have we already tried changing the email address that we have for your account to a different one? That would of course send the email confirmation to that other address. Since you can't get the confirmation emails to log in and change info yourself, the only way to change your email is over the phone with our Support team at 800-548-9508.

217 Messages

7 m ago

They really should implement TOTP (aka "google authenticator").  It's much faster and simpler.

11 Messages

7 m ago

I was finally able to change it to sms. As simplistuckon suggests, an authenticator app, either google's or microsoft's, would be a good option as well.

For the sake of conversation, I checked the time stamps on the smtp headers and once it finally left simplisafe's system it got to my mailbox in seconds. It languished between smtp-oxygen.simplisafe.com and smtp-east-0.simplsafe.com for a bit over 4 minutes. I can't see where it was vacationing before it hit smtp-oxygen as the first hop but that one was several minutes after I clicked the button on the pop up.