Mandatory two-factor authentication is coming to Mews – here's why it matters

I think that's great 🙌. There are large amounts of sensitive data in mews. We already use the ”Enforce 2FA”-option to keep our security at a high level.

One thing I would like to add at this point is the ability to fully edit other users' accounts as an administrator inside Mews 😊.

In our case, all of our user settings could be set and managed by an admin, this also applies to profile pictures and 2FA. The problem is that in Mews some profile-related information (such as the profile picture) can only be edited by the user themselves, which actually makes little sense, as the first and last name and authorization can also be set by the administrator … then why not everything except password 🤷‍♂️?

In our case, the 2FA is handled via a hardware device at the reception. 2FA apps on private devices are not desired. It would be nice if there was an option (assuming admins can edit the user profiles) that 2FA is not managed by the user at all but only by admins (hide 2FA setup for users).

So there should be less work for users and increased control, consistency and security for admins 🤩.

https://feedback.mews.com/forums/955411-mews-user-management/suggestions/48486767-allow-full-user-profile-edit-for-admins

@jones.eth thanks for the request.

Can I ask a few questions about your 2fa hardware setup: 

• What hardware are you using for 2fa? (Yubikeys?)
• Do all users only log in from Reception? How do you handle authentication for employees working in other parts of the hotel? (Like housekeeping or Backoffice)

This information would be useful as we improve our 2fa functionality

Thanks

David

Hey @David Endersby we use a ReinerSCT: https://shop.reiner-sct.com/?locale=en

I think its a pretty common device in the DACH region but im no expert in 2FA hardware 😅. I’ve seen devices from them for some “old school” online banking verifications too but nowadays banks have mostly individual apps for that i think 🤔.

The device has a little camera to scan the QR-Code and then there is a list of accounts (if multiple are registered) to choose from to get the corresponding TOTP-Code. So it is basically a 2FA app as hardware device 🙌.

Currently there is one device at our reception/backoffice but multiple would be possible for sure. Our staff at the reception is the only one that uses the mews web app. Housekeeping uses the android app and the sessions are long enough that 2FA doesn’t trigger from one day to another 👍.

If someone from anywhere else in the hotel would need to login (if that is necessary) they could simply call the reception and get the code. Same for home office. This also ensures that nobody logs into mews from home for whatever reason without the hotel/reception authorizing that. If you have some kind of separation you just could add an additional ReinerSCT to prevent too much 2FA calls 😉.

That handling works great for us and i think is pretty secure too because illegitimate logins from outside the hotel are prevented with that too 😊.

Sorry, but in my opinion this is - once again - not thought through to the end by MEWS.
You want to make the system more secure and you want to do this using users' private mobile phones. Although everyone knows that these devices in particular can be " hacked" very easily from the outside.
In addition, there are people who - deliberately or because of internal regulations - do not have their mobile phones at work during business hours.
I also think that every company should decide for itself what its security system looks like. This should certainly not be mandated by a PMS and certainly not by intruding into the personal space of every employee.

Hello @David Endersby !

Thank you for joining the discussion.

I really appreciate it that more focus is put on login security! However, I believe a couple of other things would be important to address in order to make access not only more secure, but also more convenient.

1. Automatic session locking is not generally solved yet (see following thread)
2. Make 2FA less anoying:
    - Sessions could/should remain active for a prolonged time (couple of days), if  ...
        * automatic session lock (with pin code) would be possible accross all devices, independent of browser extensions/scripts (see 1)
        * login happened from a white-listed IP range (ip range of hotel/office)
   - Make it possible and easy to register more than one TOTP authentication device to an account, so that users can have backup device
   - provide an option in the marketplace to order packages of hardware TOTP tokens for hotels that cannot or don’t want to use employees private devices with 2FA apps
3. Allow Passkeys in addition to 2FA, so that one can authenticate either with a passkey + pin OR Username/PW+TOTP, depending on where you are - that way reception/on-site staff could easily login with pin from authenticated devices (where passkeys are stored), or with TOTP 2FA from off-site networks
4. Provide the option restict login to property specific white listed IP ranges, OR IP locations (GeoIP based) (for example a hotel in Europe will not need logins from Asian IPs)

I hope I could provide a few ideas. I think there are really many things that need to be improved, but need carefull consideration and panning. I think the current rush to enforce TOTP 2FA is not planned well enough - I guess that many properties will struggle with that and internal IT support teams will get some load from users having troubles setting up their 2FA App, resetting it when lost/new phone, etc… good luck with that ;-)

In summary the things that most annoy me at the moment are: daily 2FA reauthentication, no default auto-locking of sessions with pin code, and the fact that it is not straight forward easy to register a second backup 2FA device/app. If a hotel has a larger user base, there are propably a few more things with mass user managment issues - but since we are a small place, someone else needs to address those ;-)

Kind regards,

Jean-Philipp.

Hi,

Instead of requiring our employees to use their private devices, I propose we send a secure link to the user's email address.

We have set up our users with alias addresses connected to each property’s main email. By sending a link via email, we can ensure that access to the system is granted only when the employee is on-site and able to access their email.

Hi Franziska, thank you for sharing your concerns regarding the implementation of Two-Factor Authentication (2FA) for accessing Mews. We understand the importance of security and privacy in today's digital landscape, and we appreciate your feedback.

We want to assure you that the decision to enforce 2FA is made with the utmost consideration for the security of your data and the system as a whole. While we acknowledge the potential vulnerabilities of mobile devices, 2FA remains a widely recognized and effective security measure to protect against unauthorized access.

In response to your specific concern about employees who may not have access to their personal mobile phones during business hours, we would like to highlight that hotels have the option to create exemption lists for particular emails. This means that if an employee is unable to use their personal phone while working, their email can be added to the exemption list to bypass the 2FA requirement. Another option would be browser plugins like 1password, that allow a code to be generated via the browser.

We value your feedback and are committed to addressing any concerns you may have. Please feel free to reach out to us if you have any further questions or require assistance with the implementation of 2FA.

Thank you for your feedback!

Hey Robin,

Thanks for this feedback. We’re currently looking into 2fa via email solutions. More news on this coming soon.

David

Hey Jean-Philipp,

Thanks for taking the time to write us this lengthy feedback. Theres definitely some great ideas in there. I’ve passed this post onto the product team and we’ll look at getting them on the roadmap.

Can I ask for a little more clarity on the pathkeys option? Do you have a specific vendor or implementation in mind?

Thanks

David

Hello @David Endersby !

Sorry for my spelling mistake! It’s “passkey” not “pathkey” of course ;-) … so, I hope it’s clearer with the correct word - I meant to point out modern web Authentication according the FIDO2 Industry standard (https://fidoalliance.org/passkeys/ )

But I think passkeys allone are not the solution, best approach for me would be to allow users to use passkeys and/or user/PW+2FA, because using passkeys on shared devices, or on several not single user allocated devices, might be a challenge, but passkeys are convenient when using a service from mostly the same device.

I just think that there should always be a second factor, but for convenience it doesn’t have to be restricted to TOTP-2FA, but could also include other factors, like know trusted device, passkey, certificate, ip range, what ever … you name it …  some second factors might be less secure (source IP), hence require reauthentication more often, some are more secure (passkey or TOTP) and might allow longer sessions (with auto lock with pin maybe), … and so on… a more flexible, mulit-layer approach might be the most secure AND convenient! I am sure you guys will figure out something great in the end - looking forward to it!

Regards,

Jean-Philipp.

Dear @jesson.atherton, 

I really like the security increase of 2FA.

But please be aware of the usability and convenience in everyday’s business.

For home office devices etc. 2FA via Authentificator Apps is a great solution.

For a front office PC you simply can not do that without losing valuable seconds to re-login on the same PC. As @j.spiess already suggested the “trusted device” solution will be extremely helpful.

One more question about the login: Is there a soultion that the recently logged in account’s e-mail addresses remain saved for the next login even when you closed and re-opened the browser (in our case Google Chrome)? On the front desk PC it takes us so much time re-entering the e-mail address and password every time we re-login. I’m really thankful for any solution ideas😀

Hey Marlon,

Thanks for the message. We’re trying to balance the security with the usability and are actively looking at solutions to bridge this gap.

Regarding your question, when you close the browser, does it nuke the cookies too? I’m assuming this is the case as you are required to reauthenticate. Solving this might be abit tricky - having a trusted device (suggested above) could reduce login steps and pass keys are another option that we could implement. Regardless, there will probably be some kind of authentication required (so we can differentiate you vs someone who shouldn’t be allowed in)

Thanks again

David

Hi everyone 👋,

We are looking into how to make 2FA setup easier and more convenient based on your feedback. We have prepared an interactive prototype of potential improvements. If you have time, please test it and share your feedback. It will only take 3 minutes. Feel free to share this link with your colleagues—the more feedback, the better.

Prototype: https://app.useberry.com/t/RamPMrWfnoCMNd/?Source=User

Thank you,

Zuzana

Hi there, 

This seems like a good call from Mews getting this project started before it becomes mandatory due to law changes next year. 

I just have a few questions, which piggyback off some of the other replies.

The first and most important one for us would be the likeliness of the whitelisted ip range working. Would users be exempt from using the 2FA if they are in a IP address that is recognised by the business. Also would users be able to then use 2FA if they for instance took their laptop home for work. Will this be something that will be likely to be developed? 

Also Mews is saying that after 24 hours users will be automatically logged out of i am not mistaken, will we be able to reduce this window if possible, and will we be able to do so for individual users or will it be a blanket time across the platform. 

There was also mention of a list of emails that could be exempt from using 2FA, could this be explained a bit more as it seems to contradict it becoming mandatory? 

Thank you 

Matt

Yes, that IP range based exception would be great!! I support that!!! Or some other way to avoid frequent 2FA reauthentication for known trusted devices (client certifcate based for example). It doesn’t have to be a total exception from 2FA, but only require like 1/month to do the full 2FA authentication on trusted networks/devices…
I mean, consider having a on-premise installed PMS - I believe for services only accessible on local networks not 2FA will be required, right? So if you trust an IP range or client certificiate one could see it as locally accessible from trusted network, right?

Regards,

JP.

+1 for IP-Whitelisting from me too 😊.

Hey!

Tested it now, and the e-mail option is exactly what we are looking for!
How far are you in the proccess? Will we be able to authenticate through email in September when you start to roll this out as mandatory?

@zuzana.hrusovska that looks awesome 😊. Would be great if there would be a global option to force these settings if wanted. Something in property settings like: Individual, E-Mail, Authenticator an only with individual set the users can change these settings by themself.

Agree!

Hello 👋,

Thank you very much for your feedback. We are looking into ways to incorporate it into our designs. Our goal is to provide e-mail functionality before September.

We are also considering options for admins to preselect preferred options for their users, but this is still under discussion. For now, it will be up to users to select their preferred method.

Best regards,

Zuzana

Hi,

MEWS definitely needs to beef up account security. Unfortunately, basic features are completely missing.

Here are a few features that are currently lacking:

• IP Geofencing: Restricts access based on geographic locations to prevent unauthorized access from unfamiliar or high-risk regions.
• Account Lockout: Automatically locks an account after a specified number of failed login attempts to protect against brute-force attacks.
• Password Complexity Requirements: Enforces the use of strong, complex passwords that include a mix of letters, numbers, and special characters.
• Regular Password Changes: Requires users to change their passwords periodically to reduce the risk of compromised credentials. (Not my favorite, but necessary)
• Session Timeout: Automatically logs users out after a period of inactivity, reducing the risk of unauthorized access if a session is left open.
• Account Activity Monitoring: Tracks and logs account activity to detect and respond to suspicious behavior or potential security breaches.
• Login Notification Alerts: Sends alerts to users when a login attempt is made from a new or unrecognized device or location.

Obviously, MFA (Multi-Factor Authentication) should be on the list, but it may not be feasible for housekeeping staff to have both a tablet and a smartphone for MFA. Many of these users are not familiar with MFA and its workings.

Therefore, the option of having trusted devices, together with the features listed above, would be a more viable solution. This way, there is a one-time effort to trust each device, access is limited due to IP restrictions, brute force attacks are catered for, and users get alerted if any foul play is detected.

The cost to implement this feature set would be minor, also from a complexity level.

Best,

Ed

Dear MEWS Team,

One more important point:

Please ensure that Multi-Factor Authentication (MFA) is enforced on all demo, staging, and backup environments. Ideally, these environments should be deleted if they are no longer in use. It's common for intruders to exploit such environments, and it's likely that guest data is stored on these systems as well.

Best regards,

Ed

Hello Everyone, getting a 2FA authentication code is now available via email.

If you’re looking for more information around 2fa via email, we’ve updated the help guides - https://help.mews.com/s/article/turn-on-two-factor-authentication?language=en_US#Set-up-two-factor-authentication-via-email