Mobile Portal security

[java]

I noticed that the mobile portal can be accessed without any account authentication. As long as anybody gets the URL, he is able to access the EnvisaLink-3.

Can you please add an account authentication process before log in the mobile portal?

Thanks

[blakem]

That is not really true. There is authentication. It is in the form of the 40 character alpha numeric hash(mid). So as long as you do not give out this authentication to anyone then it is extremely unlikely someone would ever guess it. It is no different then giving out your alarm code. If you have accidently given it out to someone then go login to your account on a computer and generate a new one.

The math on the number of permutations if you wanted to brute force guess this 40 character string with 36 alpha numberic values is 36 to the 40th power. 36^40=1.78e+62

It is even more complicated by the fact that someone would need to know the MAC address of your device.

[EyezOnRich]

It is structured the way it is as a convenience.

You should have a password to access your phone in the first place if you are worried about that kind of security. So assuming they get by that you can also set the mobile portal to ask for a password.

Just bookmark to desktop this: https://www.eyez-on.com/EZMOBILE/
instead of the full link and it will ask for a username and password instead.

[java]

Just bookmark to desktop this: https://www.eyez-on.com/EZMOBILE/
instead of the full link and it will ask for a username and password instead.

Thanks.

But this url works on only the fist page after logon. It keeps asking for username and password when click anything.

[EyezOnRich]

You must be hitting the "Back" button on the browser. Use the "Status" buttons and "Home" button within the mobile webapp and it won't happen.