T

Tue, Feb 11, 2020 10:30 AM

Don't use 2-Factor-Authentication

The 2-Factor-Authentication has great risks, it's a technology that hackers can intercept them at the other end or in air.  iMessages codes and Emails authentications can be intercepted by someone at the other end or in air and take control of your account.  Public radio has advised the public not to use these forms of authentications for online activities!  A few weeks ago, Simplisafe started using Webapp for customers logging in to their account and using emails to confirm the accounts; since then, it's a nightmare come true!  I worry I can't trust the system anymore and the system is in someone else's control.    Please remove the Webapp and email authentication process to ensure account security!

8 Messages

Il y a 3 y

Webapp a thrid-party app?
Is Webapp handled by Simplisafe or others?  Who is handling it?  Why using Webapp instead of the Simplisafe website?   Are all customers required to login from the Webapp?  Please explain!

Il y a 2 y

I'm sorry, but this post is misinformed.  2-Factor-Authentication, or any Multi-Factor-Authentication, is inherently more secure than Single-Factor-Authentication.  Why?  It takes more steps to be able to login.  Even if a company were to improperly implement 2-Factor-Authentication, you would still have to know the password, so it would be no less secure than a web service that only offered Single-Factor-Authentication.

Here's the basic factors that can apply in electronic security:  Something You Know, Something You Have, and Something You Are.

The classic single-factor is just using Something You Know, which is typically a password.  Even if you have multiple pieces of something you know required for login (a password, a SSN, security questions, etc), it's still Single-Factor-Authentication.  This can be defeated if somebody has discovered information about you, either through mishandling of your own credentials, or reusing passwords/other information from a website that has been compromised.

When you add a second factor, you most likely are going to add Something You Have.  This might be receiving a one-time code via text message or email, having a pop-up notification on a phone app require you to accept or deny the login request, a token-code-generator app making time-based one-time passwords, having a registered hardware token that must be connected to the device requesting login, or have a one-time link that you have to click to approve the sign-in.  By adding a second factor, for someone to be able to login to your account, they must have possession of hardware/system that will produce the second verification, as well as knowing your password/other information.  Obviously, this will only be as strong as the security you setup to guard your second factor.  SMS (test message) is the easiest method to compromise, but is still prohibitively difficult enough to only be limited to targeted attacks (you're high profile or high value).  Email is the next easiest method to compromised, but this can be made to be very secure if you're aware of the risks and manage them.  One-time-password generator apps are the next most secure option with very limited attack options.  Hardware tokens are the most secure method, many having no known way to defeat or bypass the token aside from the user being tricked into giving away their token.

SimpliSafe appears to send one-time-use links via email in order to verify new logins.  Knowing this, you want to ensure that the email you use for this is very secure.  The email account I have it set through requires a hardware security token in order to login.  A second token is securely stored in the event of theft or loss of the first token.  There are no other recovery methods, meaning that someone cannot bypass that second factor requirement by having even a lot of information about me.

Something You Are is a relatively uncommon authentication factor at this time.  This may be a fingerprint, a live camera image of your face, a retinal scan, or hypothetically a saliva sample or anything that can be used to read your genetic sequence.  Many phones now allow the use of fingerprint scans and many phones and computers have higher-quality camera systems that can accurately perform depth measurements of your face to use it as a reasonably secure security factor (iPhones, new Windows computers with Windows Hello, etc).

Obviously with these, the more factors you utilize, the more secure a system can be.  As well, the more factors you utilize, the more inconvenient a system will become.  My recommendation is to ALWAYS use unique passwords at every site you visit, and always register the most secure 2-Factor-Authentication method you can utilize.  Remember that your security is only as strong as the weakest link.  For example, if you register for SMS 2-Factor-Authentication AND hardware token 2-Factor-Authentication, someone can bypass your hardware token's high security by compromising your SMS messages (even if your phone itself is very secure).