F

Tue, Jan 15, 2019 5:10 AM

Feature Request: 2 Factor Authentication and Improved App Security

While I'm pleased with the Simplisafe system overall, I wish that as much attention was paid to digital security as physical security. The Simplisafe website allows access to disarm any component, change billing information, view camera feeds in my home, and remove any component, yet it is only protected by a password. The video from my camera could potentially be used to blackmail me (in the same way that hacked webcam video is), and a sophisticated burglar could easily profit from disabling my alarm remotely, then taking advantage of my false sense of security.

Industry standards for sensitive data such as banking and email are rapidly moving towards general support for 2 Factor Authentication, at least by text, and ideally by a password generator app (which is more secure). Ideally, I would like the ability to use a Yubikey or similar device to authenticate myself, and to have access to a login history list for the website with timestamps and IPs.

It's worth noting that these features can only benefit Simplisafe too, in the event of a data breach of user passwords from their system. I'm sure your information security team knows that this is likely to occur at some point, and having 2FA in place would potentially prevent access before the breach is discovered. Or a criminal may gain access to an online account by trying top-500 passwords or a password that was exposed in a prior data breach.

Lastly, it's worth noting that there is even less security on the mobile application, since the standard usage is to leave the app user logged in at all times. Login timeouts would be a helpful feature, or at least the ability to require that the app is unlocked with a fingerprint scan before each use. At present, it would be very easy for a stolen phone to grant access to all the functionality mentioned above. Or an intruder could disarm the alarm if they grabbed a user's phone during a break-in.

708 Messages

4 y ago

@farragut0977 - in my case, I am not convinced 2FA is required vs nice to have.  I don't have any indoor cameras (yet), so I see some risk if my account is compromised.  I have a SS to keep the "stupid criminals" out of the house.  The smart criminals aren't (in my (not so) humble opinion) going to be stopped by a SS system.  I am not looking to give away what I have, but understand I could loose some "stuff."

As for your solution of the Yubikey, I don't know anything about it, including price, but requiring additional hardware by the user will increase the complaints (LESS than a data breach), not to mention the cost (dollars and time) for SS to build in the support for such a device in the backend system.

3 y ago

A great use case for having 2FA is if your account is compromised and the alarm is turned on and off in the middle of the night. For a home security company, this is absolutely negligent on their part.

For this discussion, losing things is outside of the scope of concern. Financially speaking, home insurance can cover losses for the replaceable items, but you're SOL for sentimental items. The main concern is that someone is able to completely control your alarm and watch your video remotely and without setting foot in your house. There are numerous videos on youtube with homeowners talking to people who hacked their video doorbells (ring or nest). The alarm system is just a one-way: the attacker can blare your alarm and you have no idea who's doing it (some kid who's playing with your phone and doesn't know what it does or an attacker).

In any case, this is a massive issue for those in and outside the house when such an event occurs. This is for the engineers: it's important to consider that not everyone wants to be watched or harassed with an alarm. I honestly cannot believe a product was released without any apparent consideration of use cases and security issues that may arise from a lack of due diligence.

3 y ago

For a security engineering business, 2FA should absolutely be one of the features built into the system, at the very least for web login. Whether an individual uses it or not is down to them, but no reason not to. Yubikey or FIDO would be great, but TOTP at the very least. It's free for users, and minimal to implement for Simplisafe...

Really great explanation from yelledsokiema on the reasons why...

257 Messages

3 y ago

I understand the 2FA as an added security measure but how many sites do you visit a day without it. The online account connection is encrypted before it is sent over the internet.

Advocate

 • 

2.8K Messages

3 y ago

^ any website that contains personal identifying information, and those who also sell your PII to third parties, should be doing 2FA, there is no excuse not to. (yes, users can opt out).

We are in an era where hacking, phishing, brute force attacks and DOS attacks are the "new normal", and where everything about you is sold to the highest bidder, whether another company or an underground hive of scum.  I, for one, am sick and tired of businesses not taking website security and data security seriously.

1 Message

3 y ago

Bumping this - this is a much needed feature!

23 Messages

3 y ago

We need 2FA.

1 Message

7 m ago

my account has been hacked and the hacker has all my info and i need the 2fa system to be activated so i can block them out and get everyone out of my email. can anyone help me?

Community Admin

 • 

2.9K Messages

Hi 05windbreaker,

 

Multi-Factor Authentication via SMS can be enabled through the SimpliSafe App, by navigating to Menu > Manage Account > Multi-Factor Authentication.