Account Security Options?

(Joseph Wilbur) #1

New customer here. Just got a basic setup installed with some open/close sensors on my windows and doors to monitor my home and send a push when an intrusion is detected. I’m liking what I see so far, especially with the ability to arm/disarm based on the presence of my cell phone (or wife’s cell phone).

Now that I’ve got everything set up, I was wondering if there was a way to lock my account down to prevent logins from new devices. The biggest hole in my system that I know of is that my system is available to anyone who can guess/crack my password.

I’ve read several requests for 2FA, which I would love and would be a big step in this direction, but in addition is there a way to lock my account to prevent new devices from connecting? Since my wife and I both have our devices connected now, it’s not likely I’ll be connecting more devices in the short term, and when I do I don’t mind jumping through extra hoops (security questions, email validation, etc).

Any way to make this happen now? If not, any plans to add it in the future?

(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #2

There are so many risks to having “full” access to the mobile App (there is no (?) granular, partial-scope access yet…) that I’m wondering what concerns you, in particular, about the “Add Device” function?

Frankly, the “Add / Configure SmartApp” function is a much greater risk, since it can grant access to third-party services that can silently monitor all of your activities and control all of your devices – even if you subsequently change your password!

(Joseph Wilbur) #3

Forgive the noob, but I think that’s what I was trying to ask, but might have used the wrong words.

As I understand it now, there are only two devices from which I can make any changes to my system/setup: my phone and my wife’s phone. If I want to do anything, whether it’s arming/disarming the system, adding a new thing, or adding a new Smart App, it has to be done from one of those two devices.

I’d like to be able to keep it that way. If any browser, phone, Chinese hacker, bored teenage hooligan, etc. wants to log in to my account from anywhere other than my phone or my wife’s phone, I’d like to make it at least slightly more inconvenient for them.

Does that make sense?

(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #4

Ah yes… Now I understand. I thought you meant preventing adding new Things to your Account!

“Logging in from a new mobile device or browser” is a red-flag alert or confirmation condition option in many platforms such as Google and Facebook (but not Amazon.com, I don’t think).

It’s definitely something SmartThings should consider, right @jody.albritton & @slagle?

(Joseph Wilbur) #5

I guess I can infer from the silence that I can’t do this now? Are there steps anyone else has taken in this direction?

(Matt) #6

I came across this doing some searching as the login security was a concern of mine. I don’t know to what extent Samsung has gone to protect their system, but there’s big breaches of major systems these days so wanting a 2nd method to protect things, when this is our home security and we may have cameras and other things we want to ensure are secured makes sense.

So I guess I’m bumping this in hopes there may be something new. Two-factor auth would certainly be a step in the right direction, as well as notice (I’m not aware if one exists) and maybe even authorization for a new device to logon using your smartthings account?