Add 2FA to Rachio Account

Gerardv514 · June 9, 2021, 4:25pm

Please add 2FA capabilities to the Rachio account/controller/app.

Gene · June 9, 2021, 7:52pm

If you do, please don’t make it mandatory. Especially if authentication apps are not supported (as in 2fa via text / email only). And please, please, please don’t add a nagging screen asking for 2fa to be activated on the accounts who choose not to do so.

Sorry, sore subject for me. I prefer random, secure, dedicated email & password for each account, generated / managed by a good password manager. Having 99+ unread sms messages due to 2fa keys I’m forced to use is slowly getting under my skin. I can’t tell if I’ve missed a message from someone, just because I don’t go through the trouble of actually clicking on each, and every, 2fa message I get. I use the code from preview and the phone is dumb enough not to realize I’m done with it.

Sorry for a rant. Somewhat of a sore subject for me.

Stewart · June 10, 2021, 12:42am

I agree with @Gene . Even if 2FA is enabled, it should be possible for the rightful owner to access the account from a web browser anywhere in the world, without having access to a specific mobile device. Possibilities include alternate 2FA mechanisms such as email or answering security questions.

vgrund · June 10, 2021, 10:08pm

I agree, this is needed for security, The key to make usable is to support standard authenticator apps. SMS / text messages are no longer secure as a second factor so please don’t implement SMS.

Gerardv514 · June 10, 2021, 10:30pm

I’d say mirror and implement what this community forum has for 2FA; I use an authenticator app.

vgrund · June 10, 2021, 10:39pm

Right. That’ll do nicely.

scorp508 · June 11, 2021, 11:47am

+1 for MFA (Personally I prefer Authenticator apps)

However, there needs to be a way to preauthorize 3rd party app integration.

I have to keep MFA disabled on some things as once enabled it no longer integrates with our home automation software due to a lack of preauthorization options. With MFA enabled on Rachio and no way to preauth it would likely break my HomeSeer integration.

Microsoft “app passwords” is one of a few examples of how to do this.

vgrund · June 11, 2021, 11:51am

Agreed, the app-specific password approach is probably the most suitable for Rachio.

It’s a pretty big deal to have some additional controls on Rachio. Security breaches have the potential to quite expensive and problematic.