SmartThings iphone touch id not really secure?

Set up touch id on the smartthings app (ios 11, iphone and ipad) - failed to authenticate (my finger was soiled, understood). SmartThings app reports an error and takes me to the login screen immediately:

  1. Annoying - I should have several attempts before this route is chosen.
  2. On the login screen, I put in my username - got authenticated immediately - i guess because my credentials (password) are already cached on the device due to normal use of the app.

The result is that I got logged back in without passing the touch-id authentication. Basically anyone can hack into the app by: 1) failing with their fingerprint which is obvious as they are not me and 2) inputting my email as the user id and voila, they are in the app.

Seems insecure, not the right intended behavior and worrisome given the amount of personal security trust we are putting in the system, no?

Appreciate feedback as to what am I missing here. Thanks

Hmm, I failed to authenticate as well because my finger was wet… I was sent back to login, but it didn’t allow me to bypass the password. This of course made me immediately disable the fingerprint - I didn’t want to have to login anytime the touch id failed because that’s annoying as hell. it should let me re-try the touch id. I’m not sure why mine didn’t behave like yours.

I’d really rather it gave me a few minutes grace between openings of the app (say, 5) as well, because I often open and close and then quickly reopen because I forgot to do/change something inside the app.

Yikes!

Definitely report it to support as a bug.

https://support.smartthings.com/hc/en-us

Make sure you tell them what model iPhone you have as well as the iOS version.

1 Like

Your phone is locked down so no way to get on it and access the ST app without your fingerprint or face id (iPhone 8/X)

So I just tested this on an Android.

  1. I am already logged into ST
  2. When I reopen the ST app I am presented with the fingerprint auth.
  3. If I fail 5 times in a row, then I am presented with a screen to enter my system Pin code.

  1. If I enter that 4 digit code, I am taken right into the ST app without an issue.

So this works great!

However, now that the failed attempts are already registered, each time I open the app, I get the pin code screen instead of the fingerprint auth.

The only way to clear it so that you can enter your fingerprint again is to logout of the ST app or Disable Fingerprint authentication in ST app and Done and then re-enable in ST app and Done.

Other than that, the fingerprint auth is solid on Android.

If you had Fingerprint Authentication setup on your device period in order to unlock it, then to me you really don’t need the fingerprint auth on in ST. Just make sure that when your screen goes dark, you lock your device immediately.

I did experience the same issue yesterday as the OP stated. My finger was wet and it immediately took me to the login screen. But I haven’t needed to use my password on the ST app on either the iPhone or iPad since I migrated to Samsung’s account a few weeks back. Also, when I choose sign out in my ST app, I only need to enter my email address to get back in. No biggie for me since my devices are locked down.

@jkp - Plenty of ways to get to it depending on timeout settings for phone and not really the right workaround for a failed implementation / bug in the software. Behavior should mimic every other app that has a touch-id / face-id preference setting and not really allow this behavior to bypass a failed authentication at the app level.