Two-factor authentication (2FA)
Wes Cossick
Introduce the ability to enable two-factor authentication when logging in, via an authentication app (like 1Password or Google Authenticator), text message, and/or passkeys.
Note: This type of feature is sometimes called multi-factor authentication (MFA) or second-factor authentication.
Log In
Meredith Owens
Merged in a post:
Add two-factor authentication to website
Michael Kammer
Add the ability to log into the website using two-factor authentication.
ORIGINAL POST:
With front end access to bank accounts being confirmed via email and text messages, it would seem logical to place similar safeguards to access HOA websites. The email and cell phone information is already provided by HOA members.
Hacking an individual members login credentials, which may not be of challenging (e.g. Its only an HOA website, so lets use a simple password), could expose a lot of community information in short order to individuals that should not be privy to such information. Once hacked, there will likely be a mad scramble to figure out via website logins which account was compromised (but that would be water over the dam at that point). Old adage, an ounce of prevention is worth a pound of cure.
It’s clear in banking that such logon confirmations are automated.
Michael Kammer
Yes... 2 factor authentication.
Meredith Owens
Michael Kammer: Thank you for clarifying this! I'll update the description to include this information, and merge this post with the open request we have for adding two-factor authentication.
Meredith Owens
Michael Kammer: To clarify, are you requesting that two-factor authentication be implemented for logging into the website?
As for the current security measures we have in place, I recommend reviewing the following help article. There, you'll find more information about the various techniques we have for authenticating logins.
Wes Cossick
Merged in a post:
Passkeys
Marcia Koury
allow residents to use passkeys instead of usernames and passwords to login
Michael McNichols
Please make this feature a high priority. The use of passwords alone is not adequate security for those who want to use the payment feature. Our HOA is concerned about potential liability if one of our members financial information is compromised. Thank you for your consideration.
Meredith Owens
Michael McNichols: While we're still considering developing this feature, I want to assure you that we've developed the strongest security practices in the industry. Currently, several security measures are in place to keep member data secure. You can read more about those in this article: https://help.hoa-express.com/en/articles/2340910-how-we-keep-data-safe-and-secure.
As for the online payments feature, our payment processing partner is Stripe. They're certified as PCI Service Provider Level 1, the most stringent certification level available in the payments industry. Sensitive data like bank account information, credit card numbers, and other details never touch our system—they're handled entirely by this payment processing company.
w
web@milltownvillage.org
When does HOA Express plan to offer two factor-authentication for resident accounts? Can it be optional for some accounts, but used for other accounts? It seems like this it’s becoming a standard in the industry. Many of our homeowners passwords are definitely not “strong”
Meredith Owens
web@milltownvillage.org: I'm afraid we don't have an estimated timeframe yet for this feature request. Our primary focus right now is finishing our next gen front ends, which, among many other benefits, will help us develop feature requests like this one more quickly.
The beta Admin Portal is nearing completion; you can check it out at https://admin.hoa-express.com and follow our progress in our quarterly recap blog articles: https://blog.hoa-express.com/tag/recap/.
Meredith Owens
Merged in a post:
Multifactor Authentication for Admins
M
Mary Piterak
Passwords these days are a terrible way of ensuring security.
This isn't a big deal for community member accounts, but could be a problem for admin accounts. You should:
o At minimum, support TOTP (Time based) MFA, using applications like Google Authenticator (ie: not email or SMS text).
o Allow MFA as a requirement for Admin/Editor accounts.
M
Mary Piterak
Oops, please merge my suggestion into this one.
At a minimum, this should be TOTP (time based, Google Auth and the like), rather than SMS or email based.
SMS is no longer considered secure, especially given SMS forwarding services available for text hijacking.
Meredith Owens
Merged in a post:
Two-Factor Authentication for "Payment Processing"
S
Steve Tomasco
"Two-factor authentication" is quickly becoming a widely accepted standard. Our homeowners would feel more secure entering their CC or DC information when using the payment feature.
Jim Tomasetti
This would be helpful to minimize the effect of hacking into an account. Sometimes users do not create strong passwords, this will help increase the security of week passwords.
Load More
→