Toast Community

I don't expect Toast to care about he how inefficient of a system it is when it comes to security. Protecting our information is top importance. My problem is that it has made things MUCH LESS secure.  I have and will continue to put in customer care cases with Toast support until something changes. The way it is less secure, is if someone forgets to logout or steps away from the computer and how Toast Payroll and ToastTab are now linked.

Let me explain:

I know most restaurants operate under these circumstances. Many managers using the same back office computers- Assistant Managers to ADMIN using the same computers at different times. Restaurant people also don't spend a lot of time at the computer, they need to jump onto toasttab to pull numbers from sales summary, or review time entries, product mix reports, lookup a ticket. Most things are about 5-10 min on the computer and then jumping off it, usually under a time constraint. And about 50% of that time you're on the computer you get interrupted because of one thing or another (customer issue, repair issue, staff issue, etc.).

If a manager forgets to close out their toasttab then payroll is now accessible through their toasttab and toasttab doesn't TIME OUT. Toast Payroll used to time out and close out if you were inactive for 15-30 min. Toasttab however just stays open. So it doesn't matter if there is a mulit-factor authentication if toasttab is left open for any reason everything is open for whoever sits at that computer next. 

I have seen this happen in multiple ways.  Here is one: My general manager logged into her toasttab to do the drawers at night and got pulled away at the end to take care of a closing issue and forgot to log out. The computer went to sleep and I came in the next morning and her toasttab was still open. I wanted to test the security. I clicked on the payroll link in her toasttab and no problem it opened up her payroll account which is an HR+ and asked for no multi-factor authentication. I then closed the browser tab with toast payroll. Went back to toasttab and logged her out. I logged myself back in with multi-factor authentication in toasttab. Clicked on Toast payroll and once again HER TOAST PAYROLL access opened up.

The are a few more examples that I have given to toast that are just as alarming.

I am saying all this because I am pleading with Toast POS and Toast Payroll almost daily to fix this serious lack of security. Toast listens if we speak up as customers. They are made for restaurants and they change to make us better. This change is not better and the more I can be a squeaky wheel I will do it.  As much as the login process is inefficient that is not the point.

Toast engineers, this system has had unintended consequences that can be solved by making Toasttab time out of sessions.

I am monitoring this thread and relaying feedback to teams, If anyone else has found that things are less secure because of this change, please post in this thread. As I continue to learn more, I will update this thread. I apologize for the security issues this update has created and will continue to monitor and report back if I receive any information around this!

Thank you so much Rob!

HEY EVERYONE!

  I hope I'm not getting excited too soon but I just LOGGED INTO TOASTTAB, TOAST CENTRAL, TOAST COMMUNITY, AND TOAST PAYROLL and NONE asked for multi-factor authentication!

(It's concerning that Toast Payroll isn't asking for a second authentication but I'm going to assume they are just still working out the kinks). 

Not sure all this is legit or a fluke but it feels like progress!