Skip to main content

Hi,

Hoping someone can answer a query around account security. As far as I can see the account we all use is only a single authentication. I’m hoping / wondering if there are any plans to change that by incorporating MFA?

Does anyone ( Sonos or community ) know if this is going to be incorporated or is on a rollout in the future ?

Thanks in advance !

@mac2468

I don’t know about such plans and Sonos won’t tell about further hardware and software plans. 
But you can leave this here as a recommendation and a Sonos mod will pick it up. 😎


Why? What important information is stored on your Sonos account?


I so love two-factor authentication when the verification back-end goes down. Been locked out of three different local devices in the last month as well as a couple websites.


@Schlumpf 

 

Many thanks for the information , much appreciated !

To answer the above comment, nothing at all. It’s what you grant the app permission to , linked services and your network is why I’m asking the question. 
 

Completely agree @Stanley_4 , as an admin we hear this a great deal but then even when offline , it’s still ticking the box by keeping you secured, albeit you can’t access until the fault is resolved.

 

Cheers all !


MFA is of limited utility for a Sonos account (as there is so little associated with it), but what IS missing is the ability to revoke access to your Sonos account, once you have given it to an app or web site.


The web app now makes it possible to control your speakers from outside your network.
Without two-factor authentication it’s only a matter of time before users’ accounts get compromised and remote control of their speakers is possible by a third party!


I use my AppleID to authenticate with many online services, maybe this will come to Sonos soon?

 

ie you would authenticate with Apple/Google/Facebook etc when logging into your Sonos account, and use the MFA/passkeys already setup on those accounts.


The web app now makes it possible to control your speakers from outside your network.
Without two-factor authentication it’s only a matter of time before users’ accounts get compromised and remote control of their speakers is possible by a third party!



Exactly, I raised this earlier hoping it can be disabled
 

 


The web app now makes it possible to control your speakers from outside your network.
Without two-factor authentication it’s only a matter of time before users’ accounts get compromised and remote control of their speakers is possible by a third party!



Exactly, I raised this earlier hoping it can be disabled
 

 

I’ve had a look around and can’t find a setting anywhere, unless I’m missing something?


Google of Facebook would not make me feel much safer though….


Hi @mac2468 

Welcome to the Sonos Community!

Thank you - I've marked this thread as a feature request and it will be seen by the relevant teams for consideration. Keep the ideas coming!


The web app now makes it possible to control your speakers from outside your network.
Without two-factor authentication it’s only a matter of time before users’ accounts get compromised and remote control of their speakers is possible by a third party!

I share this very concern and asked a related question here: can I turn off the web app?

It’s only a matter of time until we start hearing horror stories of people being woken up at 3am or having speakers blown by a hacker.

Sonos is not taking security seriously. Usernames are tied to email (so easy to guess) and they don’t require complex passwords (for example go check the setup account page - you can use ‘password’ as your password).


Hi @mac2468 

Welcome to the Sonos Community!

Thank you - I've marked this thread as a feature request and it will be seen by the relevant teams for consideration. Keep the ideas coming!

Security is now a feature request? I’d think that should be foundational to any physical device you sell and then allow operation from the cloud...


Hi @mac2468 

Welcome to the Sonos Community!

Thank you - I've marked this thread as a feature request and it will be seen by the relevant teams for consideration. Keep the ideas coming!

Security is now a feature request? I’d think that should be foundational to any physical device you sell and then allow operation from the cloud...

Agree security should be baked in from the start. I can’t think of any cloud-based systems that don’t use MFA. It’s asking for trouble. I checked my Sonos account and my home address is not populated, but some customers details will be, so there’s a potential GDPR issue there. On top of that we could potentially be locked out of our own accounts by a hacker who could then take full control our home speakers remotely. Our only option would be to create a new account, perform a factory reset on all devices and start the set-up from scratch!


Hi @Corry P ,

 

Thanks for having me ! I appreciate that , I know it’s not for everyone but simply put it would be a decent step forwards in securing access to customers accounts.

 

Cheers!

 


Just my personal thoughts… but if my pw has been hacked, there is a security problem on MY side. And in case of Sonos use, what intention should a hacker have? To disturb me at night by starting some music? Worst scenario that could happen would be I have to change my pw. 
There are other services that imo really more need a higher security level. 
But as said… just my 2 cents


Just my personal thoughts… but if my pw has been hacked, there is a security problem on MY side. And in case of Sonos use, what intention should a hacker have? To disturb me at night by starting some music? Worst scenario that could happen would be I have to change my pw. 
There are other services that imo really more need a higher security level. 
But as said… just my 2 cents

If my speakers started randomly playing music at night I think me and my family might have some issues with that!  It’s only a matter of time before accounts get hacked, they don’t need a reason to do it.

Besides, I assume once someone has credentials for the underlying Sonos APIs they might be able to do more that just play music? Maybe they could compromise the devices/install malware/listen to microphones, who knows?


@Absolute40

Of course being hacked is not a pleasure, but I just wanted to leave my personal opinion about the necessity to do prevention for that on Sonos side or on user side. 
And I‘m sure nobody can compromise your system from outside your network. And if someone is able to do so, I’m sure even MFA won’t stop him. Updating to MFA authentication would mean financial investment for Sonos and there has to be a real need for that. Just a „I‘m feeling better with that“ won‘t be worth the money I think. 😉


Really amazed how lightly this is taken by some of the community. I live in a flat. Web services are hacked all the time. My neighbours would just *love* it when some joker plays some house music at max volume at night or when I’m travelling abroad 😬 Or damages my equipment. How much thought went into this, I wonder? So I really want MFA or at least an option to disable the web player. 
 

btw I would never have bought Sonos if access from anywhere but the local LAN was allowed by default.