Attention iPhone users: iOS 15.0 through 15.2.x contain bugs that affect the auto-open feature. Versions above or below work fine.

Comments

12 comments

  • Official comment
    Scott Riesebosch

    Thanks Eric. This feature request has been captured.

    Scott

    Comment actions Permalink
  • Sam E

    Any updates on when this will be implemented?

    1
    Comment actions Permalink
  • Scott Riesebosch

    Hi Sam,

    On iPhones we added the ability to use Face ID at least as a starting point. So you can actually stay logged into the app and it requires Face ID to launch the app. If you are on Android we didn't implement it there yet.

    The 2FA login wasn't something we got a lot of requests for so we didn't go further than Face ID with it for now.

    -2
    Comment actions Permalink
  • Jon Welters

    The face ID is nice but if somebody just had the password they could log into an app on their own phone and open the door I agree with the original requester multi-factor authentication is really a requirement for an app like this at this point.

    2
    Comment actions Permalink
  • Sam E

    Scott thanks for the note. But 2 factor is not the same as a convenience option for login. I was hoping you would make it more secure seeing as how it provides access to people's homes. Jon hit it right on the head. If someone got your password they could log into the app on their phone and they would be able to open and close your garage door. If 2 factor is not an option maybe an integration with a service like Google which would essentially implement 2 factor. For example in order to log into my Google account on a new device it performs 2 factor auth because I turned that on for my account. Seems like this is somewhat of an industry standard now.

    0
    Comment actions Permalink
  • Scott Riesebosch

    We've been discussing this. Due to the fact that we have customers in more than 30 countries, using SMS for 2FA isn't a viable option for us. So we are thinking of allowing users to turn on 2FA in the app. When they turn on 2FA they will be asked to provide a PIN code and answer 2 security questions.

    Then any future logins would require the PIN code as well as the password.

    If you forget the PIN code you can answer one of the security questions to reset the PIN code.

    Would this be acceptable?

    0
    Comment actions Permalink
  • Scott Riesebosch

    Since there are 3 generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.

    We are also thinking Password + Fingerprint or Face recognition required to login to the mobile app if 2FA is enabled.

    Scott

     

     

    0
    Comment actions Permalink
  • Sam E

    Scott,

    The second PIN is not 2FA because it is just two things you know. An email confirming you are logging into a new device, or some other sort of 2FA would be best. FaceID is not true two factor. An example on one phone I could use my face, and the person who steals my account would just need their face to get in on their phone. Seeing as how that FaceID is not centrally stored it does not necessarily ensure that it is MY face. What FaceID on your phone tells you is that the person who knows the password has this face. It is more for follow up logins on that device.

    Email is really the cheapest version of two factor, and it works in all countries.

    Sam

    1
    Comment actions Permalink
  • Michael Teator

    SMS is considered broken for 2FA these days and is nearly an anti-pattern.  Email and 2FA token platforms like Google/Authy/Duo/etc are the easiest and cheapest options.

    1
    Comment actions Permalink
  • Preethum Prithviraj

    The 2FA time-based token app generating systems are my vote. Flexible enough that they can be used by any app the user prefers and slightly stronger than email as the 2FA method as its a separate method from an already associated account, and if the email is compromised, so is the password reset process. Email is a good second option and acceptable, but I agree with the others, SMS isn't a good option at all for 2FA anymore. 

    1
    Comment actions Permalink
  • cowardlyginger

    Another vote for this, particularly for time-based one-time passcodes, which are highly flexible with support for lots of MFA apps and password management systems and also solid from a security standpoint.  SMS is a step down, but still better than nothing, and email below that.

    0
    Comment actions Permalink
  • Scott Riesebosch

    cowardlyginger please email me at scottr@gotailwind.com so we can connect on this.

    0
    Comment actions Permalink

Please sign in to leave a comment.