2FA Q&A: Get your questions answered by our experts in this post

Hi all, I received a suggestion regarding employee privileges today. Would it be possible to have ‘exporting reports’ as an option to enable for users? 

And do you think this would have an affect in avoiding sensitive information to be downloaded from the system. 

@Jaron Shaya FYI :)

Thanks!

Hey Merel,

Thanks for the suggestion, but this isn’t really 2fa-related. We are looking into rebuilding the permissions framework soon. Keep an eye out next year for news.

Thanks

David

Adding this post to this thread for visibility.

Send authentication code by text/sms. This is the primary way all other apps have 2FA.

Emailing the authentication code takes too long.

Hey Marion,

Is there a specific use case you’re thinking of?

We currently offer 2FA via an authentication app as an alternative, which would be far superior to SMS and email. This app offers an instant 2FA code that is more secure than other methods (as long as you don’t give it to phishing websites) because you need the device to authenticate. 

There are some fairly significant downsides of sms 2FA:

1. It’s vulnerable to sim swapping attacks - where an attacker duplicates/swaps your sim and can receive all messages
2. SMSs can be intercepted in transit
3. Cost - SMS costs money (variable by locale) and aren’t available in all jurisdictions
4. Some people don’t have SMS plans any more (data-only plans).
5. Is another opportunity for phishing scams

You need your phone for both the authenticator app and SMS, which has caused some issues for a few of our customers (we built email to resolve this)

I hope this helps

David

Email is the easiest method to hack. Staff and my self do not want to use an authenticator app.

SIM swapping is rare and would be difficult to achieve. Most banks use SMS as authentication in the US.

We’re disappointed in Mews implentation of 2FA. Mews development always appears to be focused on EU/GDPR/privacy compliance instead of improved functionality to hoteliers.

In the HELP article, you mention that email addresses can be excluded from 2FA. This is very important for us, as we work with a monitoring center during the night hours, and they cannot activate it because of the fact that they work on 1 account in routating shifts. Housekeeping team logs in on 1 and the same account to clean rooms. They are also not able to make use of this function. 

In short, these accounts have very limited permissions and must be excluded from 2FA.

Why is this feature not working yet, and when will it be, given your strict deadline to make 2FA mandatory?

Looking forward to your quick response.

Hey @evavandeparel89,

Out of curiosity, what is the reasoning behind only having one account?

Regarding 2fa exclusion functionality, you can find it on the property settings page, under security  - https://help.mews.com/s/article/Enabling-and-disabling-mandatory-two-factor-authentication-for-employees?language=en_US#How-to-create-a-2FA-exemption-list

Thanks

David

Hi David, they work on 1 account because of the fact we work with an external housekeeping company with daily changing team. I know the help article, but the function is not working in Mews, that is the reason of my post (!). It is not possible to select e-mailaddresses.

I agree, Email is easy to hack if you don’t follow standard security practices, such as using strong, unique passwords (ideally from a password manager), implementing some kind of 2FA (ideally hardware key or secondary device), not sharing credentials and continually being weary of a changing threat landscape.

The hospitality sector continues to be an easy target for bad actors because it has yet to adopt such functionality. We refuse to stand by, instead choosing to take action to protect our customers and their guests.

I’m sorry that you’re disappointed with the current 2fa implementation. We will continue to refine functionality and add new features inline with worldwide security best practices.

David

It might be that Enforce 2fa is not enabled (you need to enable it before you can exclude people from it)

If its still not working, I can work with your CSM to get you more assistance

Hello!

In your case, I would suggest that your external HK should not work with a Mews Account at all. Rather use some some integrated third party tool like Sweeply (for simple situations)or Hotelkit (for more complex requirements).

Best regards;

JP.

Dear JP,

Sorry, but you're avoiding the question. I want to know how to exclude email addresses from 2FA, not how you think our business operations should be structured.

Other employees (such as an external control room for the night shifts) also work in our Mews account with limited access, but they still need to be able to create key cards remotely (for example). I don't believe I should have to explain step by step why I'm asking a question; just provide an answer as to why the features described in your HELP article aren't active. Will this be activated before September 2, or is there another way we can exclude these users from 2FA?

Best regards,

Eva

About this: I have enabled this, but still I am NOT able to select email addresses. Can we continue this conversation by e-mail maybe?

/////

It might be that Enforce 2fa is not enabled (you need to enable it before you can exclude people from it)

If its still not working, I can work with your CSM to get you more assistance
 

Hello!

I think you misunderstood my role and this forum here. I am just another user… :-) You are free to make of users’ comments what ever you like, or not…

This user community, I believe, is here to discover how other people are structuring their operations, share ideas, find out how others are dealing with current challenges, … and provide feedback to Mews. If you think that Mews is defective, has a bug, or does not fit you use case at all, I would think your primary contact should be your customer success manager, mews support, or the mews sales agent. Any MEWS employee here to back this up or jump right in?

Personally, I think 2FA is very important. Especially, when you share access with external users. How can you make sure they are not freely sharing the credentials, and store them safely. And we all need to structure our operations around it. I have repeatedly made suggestions here on how 2FA could be made less annoying (for example exempt certain IP ranges or require 2FA less often, use passkeys instead) - See

Kind regards,

Jean-Philipp.

Apologies, I assumed a Mews employee was responding to my question.

I completely agree that 2FA is very important, and we've been using it for all our reception and manager accounts since it became available. However, it seems a bit excessive for Mews users with very limited permissions. We would like to disable it for this group, as it significantly hinders our daily operations.

If these messages aren't addressed by Mews directly, we'll certainly reach out to our Success Manager to discuss this further.

I completely agree to your point! I think the access to personal data is the main issue. If there was a restricted account type without any access to personal information (like for housekeeping only access to room status is required), I think that could be exempted from 2FA and frequent reauthentication, as access to this account would be useless for anyone else anyway.

@Mews: maybe when restructuring the user access rights system, a totaly restricted account type without access to personal data could be implemented without 2FA?

I can imagine this to be usefull for housekeeping staff, maintenance staff, etc… a key point in data protection is to only provide the data that must be accessed to perform a given role/job - for the above roles the names, contact details, payment and financial details are irrelevant, and access should not be granted anyways. Back when we had paper only HK lists, there were no guest names on the lists…

However, for an external night shift with unknown/changing staff members (call center), this might be insufficient, as personal data needs to be access to e.g. issue new keys and verify guest ids… so for that use case, I don’t know… 2FA with TOTP might be a problem to organize (they could use a dedicated hardware device to generate the codes, maybe ...) - but for data protection it would be wise to require it, especially in that environment that is not directly under your control. Email 2FA could work I guess … so if your call center / night shift has a common email address, they could use a generic account with that email address and 2FA via email. Not perfect, but doable ?

JP.

This group (night shift) automatically receives an in-house list from Mews with only room numbers and names. They only need access to the timeline and to create a room key. In my opinion, this can be done perfectly fine without 2FA, as they don't have access to guest details. Anyway, it would be great to have a solution for this before September 2nd, so @Mews, I look forward to hearing from you soon, either here or via email.

In case people are watching this thread, I reached out to @evavandeparel89 via email and we resolved her issue.

We have been locked out of our account, and whilst I have tried to chat to support, it always takes me to the login page. Would love for you guys to help out with opening our account again (visitlaagen). Thanks!