Hi All,
i discover i can have multiple devices with my user logged, in homey, at the same time.
This is good, but not from “security” side. Maybe already exist and i don’t find it, there are a list of connected devices like happen in amazon or google, where you can drop down the connection?
And next question is, if i activate 2FA i’m not able to login on my android app anymore cause i receive the message “login incorrect password or username”, but still work on web app (by browser).
I don’t understand. Which devices? Can you give a few examples?
It works (Android 10) here though, since 2FA was introduced;
maybe logging off, killing the app, emptying cache and optionally rebooting the phone makes a difference?
Im no a specialist in oAuth and 2FA but I try my best
If you logged in with your user in different devices, each device is authenticated usiogn oAuth2. That means the device has a Bearer token (session token) and a refresh token. The Bearer token has a short lifetime (1 day or so). Then the refresh token is used to get a new Bearer token.
Homey WebAPI support refreshing with reshresh token without a new login.
Other apps are limiting the reshesh token to 3 months and you are forced to login (downside: If you doin’t recognice an outdated token, the app can’t assess the server and you won’t get updates). I think that’s why Athom uses unlimited refresh tokens. The mobile app stays connected and you don’t miss push messages.
Athom has no list of used devices (refresh tokens) to to clear. If you want to clear them, you need to change your account password. That invalidates all logins.
You can also clear the app data on your mobile device or uninstall the app. That cleares the locally stored tokens and this device is “clean”.
If 2FA don’t work. It can be a still valid Bearer token that got invalid caused by the 2FA activation.
Just log off and in again. Then you should be asked for the 2FA key.
i mean like in your Amazon account, or Google account you have the list of device where you are logged in.
For example if i want to know the list of login i have made or if i want push a botton and, for security reason, logout every access.
For second things, i tried with my iPhone 12 and works perfectly asking me the 2fa code. On Android 13 (Honor 70) no way (actually), rebooted the phone, reinstalled the app. Emtpy data cache but no way. Im investigating in log.
Thanks Ronny for nice info, but i never log with 2FA on this app and device but the result (only on Android 13 device Is credentials not valid. Work perfectly on my iPhone 12.
Thanks. It’s of course by design those accounts stay logged in 24/7, but you look for a “quit all now” button? Just change your pw I guess.
But agreed, an overview would be nice, to keep track of the logged in services and devices at the account page.
For Google, Athom Support told me the Google Assistant toggle is switched off automatically, when there’s no connection for x minutes or hours, to protect my privacy.
I can tell you it switches off every X days here, while I have the only Homey without wifi issues