Good observation and certainly worthy of consideration for homes that are using a SmartTiles dashboard for arm / disarm control.
The ability to restrict a portion of a Dashboard (such as changing Mode, SHM, Routine execution, or … any Tile for that matter) via the requirement of a PIN or other authentication mechanism, is a feature request that we have open for consideration based on several reqests. Implementation is not likely to be considered for quite a long while, though, as our efforts are focused on the application refresh overhaul “V6”. That new platform will provide a stronger foundation for us to implement certain types enhancements.
Your observation is super appreciated, actually, as it brings up an interesting idea to enhance the aforementioned authentication concept: i.e., that the authentication requirement on dashboards within the home could be defined to be “enabled” only when the home is “Armed” or “Armed - Away”; since logically some families could safely presume if the home is not armed, then the risk of an intruder using the dashboard is low to non-existent. Great concept, I think, right?
In the meantime, we strongly recommend that anyone who uses a SmartTiles Dashboard that has any sensitive information or functions on it, to be sure to enable the password, PIN, or fingerprint locking applicable to the tablet or smart phone.
Since SmartTiles is often used on tablets or phones that have NFC and/or Bluetooth readers, you may find a utility for your device that will automatically unlock based on the presence of an NFC tag or Bluetooth device. This might eventually layer into the “mode or tile-specific” locking features under consideration.
It’s worth noting that SmartThings’s own native mobile App does not have a timeout of any sort. Even if you change your password via another device or the graph.api website, all mobile SmartThings sessions remain fully logged in. This is a substantial risk if your phone or tablet is lost or stolen.
SmartTiles, however, provides a “reset token” option to immediately invalidate any specific child dashboard URLs.