+3For weeks mews brings up a popup every time i login that demands to change my 2FA security settings from app to e-mail-verification.
Not only do we have special hardware and systems in place that uses the app verification i also think that e-mail-verification is less secure.
Why want mews me to change that setting so aggressively to a less secure solution and is there an option to disable that? Its just so disrupting.
Best answer by Rui Oliveira
Hey Mews Community!
I am Rui, the Product Manager of the Users Team here at Mews.
Our team is responsible for the Authentication, and therefore all Login security features.
Thank you very much for bringing your thoughts and concerns to us. I totally get why there's some curiosity around our focus shift from 2FA by authentication apps to 2FA by email links. I'm here to shed some light on this decision and hopefully ease any worries.
Why Email Links?
Enhanced and Lasting Security:
With email links, once you click, you're seamlessly kept within the Mews domain. This drastically reduces the risk of phishing, as there’s no chance of entering a sensitive code on a fake website. The simplicity of the email link approach enhances security by minimising stages where phishing could potentially occur, while ensuring your protection without any compromise.
Simplified Experience: Email links offer you an easy, one-click verification without needing to switch apps. That's less room for error and more consistent protection.
We're committed to providing a smooth and secure experience for you. If you’ve got more questions or need further clarification, shoot them our way! Let's keep this conversation going.
Stay safe and connected!
Cheers,
Rui
+3Agreed!
2fa is already mandatory, so 'forcing’ this so much is very obsolete and a nuisance.
Nervig ist auch, dass das x, also das Schließen dieser Meldung nicht funktioniert. Wenn man darauf klickt, wird man direkt zu der Einstellung geleitet, um das umzustellen.
Agree! Isn’t the 2FA app more secure than an email link? And I cannot close the pop up message, it takes me to the settings everytime.
Hey Mews Community!
I am Rui, the Product Manager of the Users Team here at Mews.
Our team is responsible for the Authentication, and therefore all Login security features.
Thank you very much for bringing your thoughts and concerns to us. I totally get why there's some curiosity around our focus shift from 2FA by authentication apps to 2FA by email links. I'm here to shed some light on this decision and hopefully ease any worries.
Why Email Links?
Enhanced and Lasting Security:
With email links, once you click, you're seamlessly kept within the Mews domain. This drastically reduces the risk of phishing, as there’s no chance of entering a sensitive code on a fake website. The simplicity of the email link approach enhances security by minimising stages where phishing could potentially occur, while ensuring your protection without any compromise.
Simplified Experience: Email links offer you an easy, one-click verification without needing to switch apps. That's less room for error and more consistent protection.
We're committed to providing a smooth and secure experience for you. If you’ve got more questions or need further clarification, shoot them our way! Let's keep this conversation going.
Stay safe and connected!
Cheers,
Rui
+3Hey
Also 2FA on employees devices (whether classic or via email) should be a real security consideration. Social engineering is a real threat because users tend to do the fastes/easiest way for these processes, thats where all these 123 passwords come from.
I am wondering why you place so much control over this on the employees side and so little on the administrative side … admins should decide about the security handling of their property not the individual users.
Hi
Thanks so much for reaching out again!
You’ve brought up some really valid points, and we truly appreciate your thoughtful feedback. 😊
We totally agree that property Admins should have more control, and we're excited to let you know that giving Admins this power is on our roadmap for this quarter! 🚀
In the meantime, we’re eager to keep everyone informed about the most effective options we have against phishing attacks—data-backed methods that really work. We might come across as a bit "annoying," but it’s all about ensuring safety and sharing the best practices with you!
Thanks for bearing with us and for contributing to making Mews a better platform.
Cheers
Rui
Hi Rui,
Maybe a release note or better messaging with the pop up would be helpful. There is nothing telling you why this is recommended. The annoying part comes with the lack of understanding and that you cannot close the pop up. When you hit close it takes you to the settings anyway.
+3
What makes me skeptical about the email codes, is that the known device functionality also runs via email. Thats one medium for all security mechanisms that attackers have to overcome. In the worst case, this medium could be accessible on a badly secured private device of an employee.
We use classic 2FA with a hardware based solution so attackers have to be on site with access to the hardware (or fetch the code via a fake site). In combination with known devices, that we plan to enable next week that seems to be pretty secure to me … don’t know what the data says about that.
Im just a bit annoyed that you want to force us to an solution, that seems to be most likely less secure in our case.
Hi
We are just finalising the integration of passkeys, which we'll release on April 14th.
With passkeys we can streamline the login and forget about additional device validation as well as password input all the time.
Would this be something you would consider?
+3
+3
+3
Hello!
You can issue security keys (usb) for example Yubikey. We have been beta testing it since last week, and we love it, our employees love it and it’s realy easy and convenient. All it needs is an easyly accessible USB Port. Or bluetooth enabled computers to allow seamless passkeys with private mobile phones. And you can even use several passkeys per user as needed (hardware token, iphone, password manager,...).
Only with Samsung devices as passkey holder we had no luck at the moment, but not sure what’s the reason…
Regards,
JP.
+3Private hardware is a no go for us! We don’t implement security mechanisms where private hardware is used that may be weakly secured or already compromised.
Maybe there is a elegant solution with passkeys that uses dedicated hardware and is a better solution to our current 2FA workflow.
+3Private hardware is a no go for us! We don’t implement security mechanisms where private hardware is used that may be weakly secured or already compromised.
Maybe there is a elegant solution with passkeys that uses dedicated hardware and is a better solution to our current 2FA workflow.
Absolutely! Yubikey with passkey is king! :-)
+3Definitely gonna have a look into that 👍.
Welcome Mews customers. Please use the same email address for registration as in your Mews account. By doing so we can help you faster if we might need to check something in your account.
Already have an account? Login
No account yet? Create account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
