On the basic free MyHS there is only one user and it will have admin access. With a premium account for $24 per year, you can add HSTouch only users.

Use a fixed IP or a dynamic servce and access directly without myHS?

While possible, I urge folks to not do this. While you may be security aware, many folks aren't and simply want something that 'works'. $2 a month falls below the pain threshold (IMHO) for not directly exposing my HS system directly to the network.

What I'm having problems with using myhs is accessing custom websites defined ins Setup>Web Site settings or Jon00's Links plugin.
I raised this with support who said this is a known issue... Limits my access from work.

OK, lets think this one out. Your premise is that by using MyHS, you are safer than opening a port and accessing it directly. You don't mention reliability but that is a big factor too.

For sake of comparing apples to apples, lets take the functionality of accessing other services such as Amazon Echo or IFTTT off the table. Lets just look at the safety and reliability aspects.

So if I am using MyHS, HS3 will open a connection to the MyHS mothership and keep that connection open. This allows MyHS to communicate directly with HS3. The good news is that no port needs to be open to the internet since the connection is started from the inside and kept open all the time. Also, HS3 will inform MyHS of any changes to the external IP address of the HS3 systems so no other DDNS is needed MyHS has a login portal which allows full control. If that security is breached, all bets are off.

Alternatively, I open/redirect a port which goes directly to HS. I do need a DDNS provider since the external IP will change from time to time. There are several free sites for this and most routers will handle keeping the DDNS in sync. It all works fine and apps such as HSTouch can access it without any need for MyHS. A port is open on to the outside world which anyone can knock on. They are up against my firewall, router and the native HS3 login security in terms of being able to breach security.

Now lets do a net/net.

Login security - in both cases, I am dependent on the quality of the HS3 login code - either to MyHS or directly to HS3. If I'm to have faith in MyHS login security, why would I not have as much faith in the local HS3 login security? When comparing the free MyHS to local control, security is compromised since I need a remote user with admin access. With local control via port forwarding, I can authorize whatever level of remote user I wish. Plus I can have unique user IDs for people and devices.

Simplicity - It will be much easier for the novice to use MyHS since nothing needs to be done to the router.

Reliability - this is where using MyHS really has potential disadvantages. If MyHS is down or not functioning properly, remote access is down. If MyHS is slow, local access is slow. This is not an uncommon occurrence. Many threads can be found about MyHS stopping working.

Latency - If I'm home and am using HSTouch on my phone to control devices, I'm pretty sure it goes to the cloud to access my local HS3 devices. If that is correct, and I might be wrong, that will introduce time delays between action request and action completion. I'm on satellite for my internet and round trips take time. Just did a ping on MyHS and it was 773 ms.

Just seems to me that using ports generally gets a bad wrap. Sure, you need to know what you are doing. I'm just not sure when you compare remote port access to MyHS access, that MyHS, in the big picture, is superior. When you bring in reliability and latency, the scale begins to tip.

Note: I'm only comparing MyHS to local port access. Using VPN is a whole other story.

I think this is bsobel's point entirely. While I'd like to have some of the advantages of opening a port, I'm not sufficiently confident (or competent) that I can keep the bad guys at bay.

Does opening the port not potentially expose the entire HS server, not just HS3, whereas MyHS does not?

Perhaps this is too much digression from the original post. It's a topic I'd like to understand better, perhaps in another thread.

Opening the port only exposes the particular port in question, but if that is then used to trigger a vulnerability your whole machine could be at risk. Since HS runs as a privileged account (it shouldn't, there is no viable excuse for this) taking over HS means losing the machine for all practical purposes. As the other poster correctly stated, a VPN is a whole different story and what I would recommend if you do want to connect direct.

The other benefit is that any known exploits can be blocked at the MyHS side by their firewall and then protect all systems, where as individual systems may not all be updated at the same time (Im sure there are some very old systems directly connected out there). Again, for users who understand the risk and choose to own them, go with god ,) but for the general user I would not recommend this at all. I do security for a living, so I deal with the ramifications of these things all the time.

Thanks for the explanation.