I'm not really sure it's something that could be "fixed"--your experience is pretty much just how they are designed to work. They could decide to change that, but they have not indicated any plans to do so (or not) to my knowledge.
You have a couple options: you could use local-only dashboards, assuming you trust your own LAN to be secure enough to not need a passcode. Then you'd need to VPN in any time you want to use a dashboard away from home. Alternatively, you could look at third-party dashboards like Sharptools.io. This one is authenticated with a login that will indeed (with a cookie) persist, so no need to enter a PIN or log in on each page load. If you're comfortable with third-party code, you could also investigate HomeBridge (if you use iOS) or the Alexa app and it's rudimentary pseudo- dashboard-style control (if that meets your needs and you use Amazon services).
The Hubitat cloud dashboard is authenticated with a "token" that is part of the URL, so if you ever think that is compromised, you could also just create a new dashboard, generating a new cloud link, and effectively clone your old one by copying the configuration code from one to the other. (It is HTTPS and therefore likely to be fairly secure other than your own browser history and whatnot.)
If you look at the URL for a cloud dashboard, no one is ever going to guess it. Also, that URL is never passed in clear text, as you must use https with the cloud dashboard links. Thus, even the URL is encrypted via https.
If I may ask, what is your use-case for requiring a PIN protected dashboard? Do you have family members that you are trying to prevent from accessing certain dashboards?
Thanks for this and other suggestions. And I can do this, but it's such a hassle. But they all seem like a workaround for what should ideally have been supported out of the box
I do trust my family members. PIN (for cloud access) was just something I feel like I have to use because there's no password protection.
I still feel like relying on the link not being known by anyone is a weak security measure. At the very least, it means I can't open the link on other people's computers, because it can be stored in browser's history or logs somewhere.
It isn't going to be a problem to send the link to someone else's computer. What IS going to be a problem - is making sure it's not going to be stored anywhere along the way.
Which wouldn't be a problem at all if the link was properly password protected.
I didn't expect that I'd have to defend username/password combination.
I hope everyone here realizes that the link in this case is the password, and treats it as such. And I'm not too comfortable using just password without the URL + login.
The problem with using just the link is that it's easier to leak it.
Here are a couple of ways the links could be leaked:
Here, if you follow a link from your dashboard, your url could be leaked (I'm not sure if it's a possibility with what dashboards can do, but I guess it is):
Here, even with HTTPS, the links could be leaked via Wifi:
And on top of that, by just using a simple google search, I've discovered several active and open Hubitat dashboards myself (only one of them protected by PIN).
I think this IS an issue, and I'd really like to have an option to password-protect my dashboards.