Given the sensitivity of the designs we build on Fusion 360, I think it is critical that security be increased. There are 3 important areas of improvement for me.
1: Two-Factor Authentication
2: Identify verification for password reset
3: Manage connected or “authorized” devices
I’ll go a bit more in depth with my concerns, and how they might be addressed.
1: Two-factor authentication is a well proven, reliable way to significantly increase security of any web based application. My preference would be an authenticator app based approach with SMS to a primary and secondary phone as a backup. (Losing a phone sucks, but it sucks worse if you can’t log into any of your critical web apps). (Printed backup codes should be a contingency plan). See how Shopify implements their authentication.
2: Currently, performing a password reset is a significant weakness of Fusion 360. There is no type of identity verification at all. Anyone with access to your email account would be able to reset your password, gain access to your Autodesk account and literally own everything (including being able to block you out of your own account). I think it is safe to say that many people have 3 devices with nearly constant access to email (PC, tablet, Phone). In a design team of 5 people, that means there are likely 15 or more devices at any given time that if in the wrong hands could at minimum gain access to any share design data, and at most deny that user access to their account through password/email setting changes. Password resets need to be taken seriously. CAPTCHA should be required to even start the password reset password (Currently not required, meaning its dead simple for a bot to be involved in the process). Some form of identity verification needs to be required prior to resetting a password. It could be predefined security questions, a code texted to the user’s phone, billing zip code, last 4 of billing card, company name (Preferably a combination of several items). Fusion 360 is using levels of security (as in none) I’d expect to see 10-15 years ago. A Facebook or YouTube account is more secure than a fusion 360 account that is expected to hold a company’s greatest asset, its intellectual property .
3: After I log into Fusion 360 from a mobile device or a PC, there is a certain amount of time that the specific login session is active. I can open Fusion 360 on my PC, then close it and open it again without entering the password. There may be a setting I’m not aware of to control this functionality, but if multiple devices can be signed in at any given time, the user should be able to manage those devices and have the option of ending any current session (Requiring the user to login again to fusion 360). If an account is ever compromised, we need the ability to restrict access to the data. This also comes into play if I was to log into my own account from a coworkers computer, but forgot to logout prior to leaving.
There are other areas of security that I feel need more attention from the Fusion 360 team, but those are related to more advanced items like user rights/permissions for specific projects and team structure and I expect those to be something that is refined long term. However, The 3 items mentioned above (Especailly #2) are basic tools for increased web app security that most of us use on a daily basis. In my opinion, Fusion 360 needs to have better security than my bank. Money can be replaced, but you cannot undo the damage caused by stolen intellectual property. Once it is gone, it is gone. I believe Fusion 360 has a lot going for it and is well positioned to be the dominant player in affordable cloud based systems, but these security issues will prevent me from adopting it in any business function until they are resolved.
