: support for 2FA



  • I was also unpleasantly surprised by the lack of 2FA.. just make it an optional (but recommended) thing so that your "older" clients can also use the service without issues and everyone is happy. In 2021 it's no rocket science to implement this extra layer of security, there are many libraries out there ready to be used so development time should also be limited. Hope to see this feature soon. :)

  • I recently became a tado user and i am appalled that TADO does not have 2FA. Your website said that u use the same security as banks but every single bank uses 2FA. Your entire infrastructure has a 1 point of failure. If for some reason TADO does not proper hash users passwords or god for bid stores them plain text in a database.

    Then one hack would expose every single house to the most extreme hacks possible.

  • @Jurian
    Please note this is a very serious security weakness. If a hacker gets access to my account, they could know when I'm away ( system set on away) and also have my home address, used for geofencing.
    Much bigger companies have lost customer data in the recent past ( see Experian the audit company).
    Please escalate this !

    If i could lock remote access to my setup, i would. But that's impossible, remote access is the only way tado is set up to allow, according to one of your most active community threads.

    Until this is resolved, i would advise anyone to fake their home address ( your system doesn't allow me to leave it blank)

  • A hack is not only to the detriment of it's users. Successful cyber attacks carry enormous reputational damage to a business. The negative impact can be tangible – a 2019 study reported by Forbes found that a breach can lower a company’s share price by 7%. It can be hard for the organisation to regain customers’ trust, particularly if the breach was widespread or caused by basic security errors.

  • In 2022, implementing 2FA is considered a hygiene factor for every professional organization dealing with sensitive personal information in online environments. It's not something that should have 'business value' or enough user requests before it is implemented. It should not be on a list of 'nice-to-haves when we have some spare dev time life', nor is it a feature for nerdy tech users only. It should be a natural part of your company's vision and motivation to protect your customer's data, and taking your customers seriously.

    Only a single password separates full control over my home environment from random malicious actors on the Internet. I have no idea how secure Tado's password database infrastructure is in reality, but ultimately every infrastructure can be compromised. If your password database is leaked after a targeted attack, I want my home to be secure. I want Tado to be prepared for that scenario and actively work on preventing it as much as possible. By implementing 2FA – which really isn't rocket science anymore nowadays – you'll really make a big step forward.

    Don't overcomplicate things either – I've worked with dev teams in startups who have implemented basic 2FA within a single day using standard libraries and a simple UI workflow. In the time you've spent discussing this, you could probably have implemented it already.

    I love Tado, but security-wise you really need to wake up and ramp up your maturity.

  • I am late to this party, but am a firm candidate for this also, whether be optional or not it I should be a feature that is offered. Security is so key now! This should already be a feature and is a serious over site or lack of effort on tarp’s part.
  • @Jurian / @tado_mod / @Adrian (tado°) / @Germán / @Michael / @_Marie / @Kenzo / @Christoph / @Joey / @Julia / @greyMatter

    Digging up this topic again as Tado has yet to make any progress towards a clear message from your own users.

    Let this notice be warning and I know that just coming from 1 user your responses are probably going to be 'meh no issue' that as no progress is being made or community even being responded to now with at the very least a timeframe as part of the project for my households IOT technology that Tado equipment is going to be pulled out and replaced by a competitor who have already implemented MFA.

    I have already had to recommend alternative products to several friends and family due to this issue alone.