Security measures & User Privileges | Possible improvements

Significantly more granular user privileges + IP whitelisting would be ideal for us.

Hello, 

Those are all excellent points and I would like to add that we should be able to decide which users can login via the app. 

Thanks!

Very nice list @Eric Kröll, thank you!

Adding as ideas

Certificate based access
Make a security certificate available on the marketplace / or elsewhere per property, which an admin user can download to install on all permitted PC’s / Laptops

2FA with verification code
The Microsoft principle - show the user a verification code which they need to enter into Authenticator App

OAuth2 with APIs
Change APIs to OAuth2 with limited life token

Cheers, Marc

Dear Eric,
It is some valid points in there. I think we have been teased with more granular privileges for a while now so to me this is very interesting that it get looked at with security in mind!

Geo-Blocking should be effective together with IP-Whitelisting!

Have a great day!
 

Hi Eric,

thank you for the detailed overview.

The topic of passwords in particular is always difficult to implement in a team. There are still the classic 45678 password friends.

That's why I think it's good if there is a length and character specification for the password and the regular renewal. 

Best regards!

I like the way you're thinking @Eric Kröll! To add something to the topic of user rights; the description and explanation of the current rights are very, very vague as well. Sometimes we had to tick a privilege and test to see if that's the tickbox we needed. 

In addition to that, we would prefer not all admins being able to have access to the Marketplace. If an admin account is hacked, a hacker would even be able to disconnect or connect an integration…. with all consequences that entails. 😩

@Carin any suggestions? 

Redefine User privileges

Better privileges is a good thing but i dislike generally restricting export features. These seem to be already pretty weak in Mews. Maybe just use some kind of internal hardening where users have to authenticate again or differently for certain especially sensitive actions.

Geo-blocking

Thats a great feature. Maybe global and overwriteable on user or role basis.

IP Whitelisting

Would be awesome for us but i think for many others thats not applicable. Would be nice if that could be set global and on user and role basis.

Account Lockout after X failed login attempts

I hope brute force protection is already in place.

Regular password changes

I hate that. I really think thats just good in theory … in reality users tend to do really weak passwords that are easy to remember because of this.

Access to Logfiles for Admins

I really like the out-of-the-box mentality of mews and logs should not be something that normal users have to deal with. Mews is offering this service and should be responsible to have a secure platform. Monitoring for any security breaches is definetly something that Mews has to do!

Lockout/Logout time (defined by admins)

Could be usefule. Would be great – as most of the time – to set this globally and on user or role basis.

New Login Devices

I like this feature because these mails shouldn’t be happening that often.

Perfect ideas Eric!

Geoblocking and Logout times sound especially relevant to us. But all your mentioned functionalities are great security increasing ideas

Hi Eric,

It’s great to see this topic being addressed!

Let’s be honest—security is rarely the most exciting part of operations, yet it’s essential. And, as we know, there’s no one-size-fits-all solution. From my perspective, there are three main aspects to focus on for security in this area:

1. Access Control: Ensuring only the right individuals have data access.
2. Data Availability Limitation: Minimizing accessible data in case of unauthorized access.
3. Access Insights: Gaining clear visibility into data access.

Here’s a bit more detail on each:

1. Access Control

This starts with a strong password policy—12 characters minimum, with numbers, punctuation, and more. A password manager makes length irrelevant since it can handle longer passwords without issue.

I’m also cautious about short password lifespans; they often result in weaker passwords where users just add numbers or slight variations, which research shows can reduce security rather than improve it.

Geo-blocking isn’t highly effective in my experience, as it’s easy for malicious actors to bypass. Instead, whitelisting combined with user groups is a much stronger approach. For example, we could restrict login permissions based on on-premise access for specific departments, while managers and higher-level employees could be granted broader access. Auto-logouts based on user group can also add an extra layer of protection.

A direct link for SSO significantly simplifies access. We provide users with a link that bypasses the login process, granting direct access to the Mews dashboard. Although it’s not a strict security measure, it reduces opportunities for malicious actors to intercept the login stage. If a re-login is required, users tend to use our provided link, which is faster and easier than the standard login procedure.

2. Data Availability

More granular permissions would be a major improvement, allowing us to limit data access both by function and time frame. A permissions structure at the chain level would also be extremely helpful!

3. Logging and Monitoring

When it comes to security, logging is crucial. It provides vital information, not only to actively manage a breach but also to evaluate the impact and address affected users proactively. Without robust logging, incident response becomes a guessing game, so comprehensive logging is key to informed decision-making.

There’s also a fourth critical aspect: Onboarding, Offboarding, and Account Sharing. Often, user accounts remain active even after someone has left, which is commonly overlooked. Implementing a block for accounts inactive over 4 weeks, with a notification to the manager, can prevent unexpected access issues.

Account sharing presents additional challenges, especially with external roles like night guards and housekeeping, resulting in many one-time users. Currently, we use SSO to streamline onboarding and offboarding, and our IdP logging aids this process. With SCIM in beta, I’m looking to further refine user account management soon.

Let me know if you’d like to discuss any of these points further or need additional insights.

Ivo

Let me second that and @Eric Kröll ideas, and add Passkey authentication.

Furthermore, please no regular password changes - that’s just … garbage. ;-)

Regards,

Jean-Philipp.

hey folks - love the thoughts on this, thank you!  I head up our Platform & Security Engineering teams at Mews, and am happy to engage :) 

There is perhaps an opportunity for us to better share our plans around our security roadmap, as a number of these things you folks surface are on the roadmap for 2025.  I'll respond on each of the points below based on experience - some of these are just personal preference, and things we are exploring together in Mews.

Refine User Privileges
We agree that there are opportunities here.  Both Identity (who a user is) and Authorisation (what a user can do) are being addressed in 2025, and we are going to be addressing all of this within the maturing of our product in 2025.

Geo-blocking / IP Whitelisting
My own personal experience is that these are light friction rather than things that I've seen contribute positively to security posture.  Attackers adapt quickly to these controls, and alter their attacks quickly to bypass these.  That said, we will indeed be looking more broadly at anomaly detection here to better support patterns of traffic that may be malicious, and we will be doing more to protect Mews customers via this mechanism.

Account Lockout
This can be useful.  In respect to the phishing incident we've seen recently, this would not have helped directly (routinely, hotel employees were handing their valid credentials to the attackers on phishing sites, so didn't require more than one login), but we'll explore the options here for sure.

Regular Password Changes
This is routinely not advised by security groups as users are unable to maintain the cognitive load of complex passwords easily, and so tend towards more insecure passwords (mysecret1, mysecret2, etc.). The better recommendation here is an effective password manager (e.g. 1Password).  [NIST recommends password resets only when a known breach has occured, or every 365 days, though a password manager is more important here]

Access to Logfiles for Admins
We agree - the activity log within the product is the aim for this, though we should mature this tool to include more areas of the site, and more usage patterns.  Utopia would be a self-serve solution, though we naturally need to make sure that we provide a tool that is fit for purpose on this so that our customers can get to useful data quickly.

Lockout/Logout Time
Session timeouts can be a useful security mechanism, and should be considered for sure.  Again, in relation to the current phishing incident, this would not have helped directly, but we agree this is worth considering and it is on our discussion list for 2025.

New Login Devices
We agree, and in the coming months this will mature significantly to better support both device detection, but also device authorisation (active action needed to approve a login).  This can have a huge impact on security posture for a hotel.

Authentication/Authorisation Extensions
We love the additional points raised around additional patterns of 2FA etc. are all on our list to be evaluated into 2025 also, thank you.

I love the discussion on this though, thank you! Please do keep the ideas coming!

@Eric Kröll love the topic. Thanks for opening that up here. Ever since we signed up (in 2017!!) we were told this was top of the prio list, so @Terry Brown no pressure there but its taking time ;)

Cant say i have much to add to the extensive list of what Eric and the others have added but am looking forward to the activity thats coming from the security team, as we are all anxiously awaiting this!

Hi all,

i also want to add some points:

• More granular user permissions.
• Avoid to generate major / large exports in Mews for regular staff. For example Reservation Reports with a large timeframe >1 Month or >100 data sets. This should only be possible for Admins.
• Geo Blocking
• IP Restrictions to login only from properties for Front Office Staff
• Track Session Times
• Avoid or track simultaneos logins to prevent attacks.Automatically logout if a second login is registered
• Regular password changes + no easy password like e.g. username, 1234 and last 10 passwords.
• Track Login / Logout time. Yet we only see last login with a day

Best

Linus 

@Linus.Bihn Second that, except regular password changes - this has been proven to not improve security at all!

Kind regards,

JP.

Love these folks, thank you for sharing.

Some of these are on the roadmap already, but I’ve referenced those that aren’t as part of the discussion as we proceed too.

Really appreciated :) 

​@j.spiess We have a passkey beta running right now. Would you like to try it out and give us feedback?

I totaly agree!
The more granular, the better.

It would also be good to remove the option to set individual permissions, to ensure that our preset roles are used.

hello together,

is there any update?

Still there is no user right to make sure only a small amount of users are able to get exports including Email and Phone numbers.

As this is what hackers a trying to get to then send messages to the guests, asking for a new authorization, it is still super important!

Thank you in advance.

Best

Mariusz