I was also unpleasantly surprised by the lack of 2FA.. just make it an optional (but recommended) thing so that your "older" clients can also use the service without issues and everyone is happy. In 2021 it's no rocket science to implement this extra layer of security, there are many libraries out there ready to be used so development time should also be limited. Hope to see this feature soon. :)
I recently became a tado user and i am appalled that TADO does not have 2FA. Your website said that u use the same security as banks but every single bank uses 2FA. Your entire infrastructure has a 1 point of failure. If for some reason TADO does not proper hash users passwords or god for bid stores them plain text in a database.
Then one hack would expose every single house to the most extreme hacks possible.
A hack is not only to the detriment of it's users. Successful cyber attacks carry enormous reputational damage to a business. The negative impact can be tangible – a 2019 study reported by Forbes found that a breach can lower a company’s share price by 7%. It can be hard for the organisation to regain customers’ trust, particularly if the breach was widespread or caused by basic security errors.
In 2022, implementing 2FA is considered a hygiene factor for every professional organization dealing with sensitive personal information in online environments. It's not something that should have 'business value' or enough user requests before it is implemented. It should not be on a list of 'nice-to-haves when we have some spare dev time life', nor is it a feature for nerdy tech users only. It should be a natural part of your company's vision and motivation to protect your customer's data, and taking your customers seriously.
Only a single password separates full control over my home environment from random malicious actors on the Internet. I have no idea how secure Tado's password database infrastructure is in reality, but ultimately every infrastructure can be compromised. If your password database is leaked after a targeted attack, I want my home to be secure. I want Tado to be prepared for that scenario and actively work on preventing it as much as possible. By implementing 2FA – which really isn't rocket science anymore nowadays – you'll really make a big step forward.
Don't overcomplicate things either – I've worked with dev teams in startups who have implemented basic 2FA within a single day using standard libraries and a simple UI workflow. In the time you've spent discussing this, you could probably have implemented it already.
I love Tado, but security-wise you really need to wake up and ramp up your maturity.
@Jurian / @tado_mod / @Adrian (tado°) / @Germán / @Michael / @_Marie / @Kenzo / @Christoph / @Joey / @Julia / @greyMatter
Digging up this topic again as Tado has yet to make any progress towards a clear message from your own users.
Let this notice be warning and I know that just coming from 1 user your responses are probably going to be 'meh no issue' that as no progress is being made or community even being responded to now with at the very least a timeframe as part of the project for my households IOT technology that Tado equipment is going to be pulled out and replaced by a competitor who have already implemented MFA.
I have already had to recommend alternative products to several friends and family due to this issue alone.