We made some changes to Keycafe’s two-factor authentication settings and functions in order to make sure our user logins are secure.
Two Factor Authentication Update
Version: 2.1.16
Release Date: February 25, 2019
As it exists today, if Keycafe’s two factor authentication is on, a key owner user must provide an SMS code when logging onto our web application and provide a PIN or SMS code when picking up their own keys. By default, there are also complex and difficult to understand rules governing if guests must input a PIN or two factor authentication code when picking up keys. These settings have created difficulties for enterprise customers who require more granular control over their security policies and ultimately you are the one who should decide your security settings.
After the release there will be three settings options. All settings will be available in our new beta desktop app available at www.keycafe.com/desktop
More -> Security -> My Login 2FA: When you log in you will be required to enter a short code sent by SMS to your mobile number.
We expect enterprise customers who have multiple team members who need to access the desktop app will find the service easier to use because anybody with the password can login. Keep your password secure if you’re not using login 2FA.
More -> Security -> My Key Pickups 2FA: Anytime you pickup a key you own, you must either use the Keycafe app or input on the SmartBox a 2FA code we send to your mobile device. Turning this setting off means anybody who knows your mobile number will have access to your keys.
If you are giving out your master account number to others to do pickups, you will need this to remain off since an SMS code would be required to complete a key pickup, and you are the one with the phone in your possession. However, we strongly advise to move to using the system as intended by sending accesses to your guests. Giving out your primary account code is a major security risk and not how the system is intended to be used.
More -> Security -> Guest Pickups 2FA: Anytime a guest attempts to pickup your keys using their mobile number or account level access code, they must input on the SmartBox a 2FA code we send to their mobile device. Turning this setting off means anybody who knows a guest’s mobile number or code will have access to your keys.
If you are confident your guest users will have their mobile phone with them, this is a good extra precaution to take to ensure the person with that mobile phone is the one picking up keys.
NOTE: All users two factor authentication settings will be set to ON at release.