Is there really still no Multifactor authentication? (MFA/2FA)

I’ve been a longtime zwave user, but have only been using Smartthings for the past year. I’ve been holding back on switching over my locks and garage doors to something I can control via Smartthings, but this is holding me back. The day and age we live in, we have MFA available for most most cloud services. If it’s still not available, Smartthings just needs to pick someone to federate with for logins, such as Google or Microsoft and just allow us to force login through those accounts to authenticate us.

MFA is by far the most important security feature of ANY online service. Is there some sort of official response to this topic that I may have missed?

not yet. I’m guessing they are waiting until they fully merge their account management with Samsung. They’ve started this process with the IDE, so maybe we will see 2 factor auth soon.

Yes it is true. This platform that they claim provides safety and security is not very secure.

I almost wish Google bought Smartthings instead… at least we wouldn’t be waiting around for MFA…

It may be “most important”, but a major consumer electronics company doesn’t designed & revise their products based on what is important; it is all and only about ROI (return on investment).

Simply ask this question:

• If SmartThings adds 2FA, how many incremental sales will that generate? (i.e., Sales that would otherwise not have happened or customers who would have gone to a competitor…).

Answer:

• The potential incremental revenue is minuscule. Development cost is not justified.

BTW: Can you name the major competitor(s) who offer 2FA?

That reply seems a little hostile… So are you saying that companies that make money shouldn’t invest in security if it doesn’t give them ROI? Perhaps Samsung should just wait until there’s a major data breech with SmartThings where our passwords leak out and people are able to lookup the exact location of our homes and unlock our door, or look at our cameras? That way they’d have an ROI reason so they don’t lose customers.

The issue isn’t to have MFA so people can use weak passwords and still be secure. This is about making it so if someone is able to compromise SmartThing servers, there’s still a barrier for them before they can actually get into our systems.

When you’re providing a service, especially one that has loads of data on their customers and offers actual home security, companies need to be responsible and take security seriously.

Name a competitor that has MFA? Apple. Homekit support may pale in comparison to Zwave and Zigbee, but at least no one’s logging into my apple account with ‘just’ my password.

No hostility was intended. I’m merely stating the facts of business.

Indeed, calculating the risk of customer loss due to a data breach should be incorporated into the ROI equation.

I posit, however, that the cost of even a “major” breach (the exact probability of which is difficult to calculate), would not be substantially reduced with 2FA availability…

###Why not?

1. Because the vast majority of Customers would not use 2FA unless it was mandatory, and, making it mandatory risks customer loss on its own.

2. Because businesses have survived substantial breaches with affordable consequences (e.g., Target’s loss of credit card numbers, Wells Fargo’s loss of highly sensitive personal information including social security numbers, etc., etc., etc.).

In other words: Put yourself in the shoes of the executives who have to make this decision. But that’s impossible, because we don’t have the market research data, nor the competing list of priorities, to determine the level of investment required, and the cost and/or benefits of implementing or not implementing this feature.

A slight incremental increase in security does not trump the hundreds of other priorities that SmartThings has on its plate.

You have to consider too that most of the people here using SmartThings are going to be a bit more advanced than the average consumer. I completely understand that ‘most’ will not use MFA initially, but MFA’s major problem in the past is that it was rather annoying, no one likes punching in a bunch of codes that your’e reading from your phone. However, now that most the premier MFA solutions simply send a punch notification to your phone (or watch) and require a simple press, it provides the greatest increase in security since the original uses of passwords

With this in mind, and the fact that more and more people will be using smart doorlocks and garage door openers, I can see MFA adoption to pick up quite a bit of steam in the userbase, especially when word spreads.

Lastly, federating with someone like Google to allow for ‘Login with Google’ used to always be free. If it still isn’t, i’m sure it costs very little compared to building out a custom MFA solution like devs used to have to do. All we’re talking about here is a little devtime for a huge amount of added security.

Besides, they’d be able to advertise how serious they are about home security and gain additional customers.

It’s not me that you have to convince, as I’m just being Devil’s Advocate.

But SmartThings is the devil here; we all know how long it takes them to implement simple and complex features (or decline to implement them).

I assert that they have reasonable and substantial reasons for deferring 2FA indefinitely and would advise not holding your breath.

Federation with Google for logins is under consideration for ActionTiles, thus leading to the option for our customers to choose 2FA of their Google account.

However, we have had miniscule qty of requests for this (<0.01%). It’s not going to the top of our feature queue anytime soon.

No, I get it, I would just love to have some kind of official response from them on it.

This kind of discussion is what people need to be aware of however. If SmartThings goes the Google Login route, it’ll just make everything easier. I’m going to be trying your ActionTiles fairly soon to put my old Surface 2 to good use, but I’m not switching my door locks over until there’s some MFA

Believe me, I’m not being facetious when I ask (as I’ve asked dozens of Community members in the past…) exactly what do you want SmartThings to say? And… What do you expect them to say???

• They can’t promise a particular feature or even say they are considering it without folks here demanding to know the deadline and jumping down their throats if the deadline is missed or the feature is cancelled.

• They can’t outright state that the Feature is “out of the question” because that would alienate some potential Customers who hope it may eventually be added (and, I doubt any Feature is outside the realm of possibilities, so it would be inaccurate to announce differently).

• They can’t say it is on the roadmap with a specific date without giving away a strategic advantage to their competitors.

Thanks for trying ActionTiles!

If MFA is important to you, please be sure to post and promote it on our Feedback Forum: ActionTiles Forum / AT Support & Ideas

Security is a bit different, especially when it comes to a system the can unlock your doors and open your garage door. Just because everyone else sucks just as much when it comes to MFA/2FA doesn’t give them an excuse. I don’t expect them to say anything, I expect them to do something.

###I’m going to make an obnoxious and pedantic statement here, but no disrespect intended:

• Do you expect them to do something, or do you just want them do to something?

I personally avoid expecting anything; life is a lot less disappointing that way.

I expect them to.

Better yet, I expect any person that works there that has any influence on design / backlog to demand they put this into their product.

I am not going to lower my expectations, it only leads to mediocrity.

I admire your… patience.

Besides being an obvious potential feature, 2FA was proposed nearly 3 years ago (and probably before that…), by a person who is has subsequently become a SmartThings employee for quite a while now too.

Nest / Google home

Amazon, Apple

Really? I was unaware of this.

I don’t see a 2FA option in the Alexa App…?

@tgauchat

image.png1558×1498 343 KB

Thanks for the Amazon reference…

• I wonder what proportion of Amazon customers use it?

• I wonder how much that proportion goes up for those using Amazon’s home automation related stuff? A quick Google doesn’t reveal any studies.

• And… unfortunately… SMS has been proven to be a very weak choice for multi-factor authentication. Certainly better than nothing, and I’m guessing companies choose it because it is easier than educating customers on how to use an authentication app (like Google Authenticator - used by many tech vendors like GitHub, Digital Ocean, LastPass, VirtualMin, etc., etc.), or their own App (like Facebook).