: support for 2FA



  • I was also unpleasantly surprised by the lack of 2FA.. just make it an optional (but recommended) thing so that your "older" clients can also use the service without issues and everyone is happy. In 2021 it's no rocket science to implement this extra layer of security, there are many libraries out there ready to be used so development time should also be limited. Hope to see this feature soon. :)

  • I recently became a tado user and i am appalled that TADO does not have 2FA. Your website said that u use the same security as banks but every single bank uses 2FA. Your entire infrastructure has a 1 point of failure. If for some reason TADO does not proper hash users passwords or god for bid stores them plain text in a database.

    Then one hack would expose every single house to the most extreme hacks possible.

  • Gabs
    Please note this is a very serious security weakness. If a hacker gets access to my account, they could know when I'm away ( system set on away) and also have my home address, used for geofencing.
    Much bigger companies have lost customer data in the recent past ( see Experian the audit company).
    Please escalate this !

    If i could lock remote access to my setup, i would. But that's impossible, remote access is the only way tado is set up to allow, according to one of your most active community threads.

    Until this is resolved, i would advise anyone to fake their home address ( your system doesn't allow me to leave it blank)

  • A hack is not only to the detriment of it's users. Successful cyber attacks carry enormous reputational damage to a business. The negative impact can be tangible – a 2019 study reported by Forbes found that a breach can lower a company’s share price by 7%. It can be hard for the organisation to regain customers’ trust, particularly if the breach was widespread or caused by basic security errors.

  • In 2022, implementing 2FA is considered a hygiene factor for every professional organization dealing with sensitive personal information in online environments. It's not something that should have 'business value' or enough user requests before it is implemented. It should not be on a list of 'nice-to-haves when we have some spare dev time life', nor is it a feature for nerdy tech users only. It should be a natural part of your company's vision and motivation to protect your customer's data, and taking your customers seriously.

    Only a single password separates full control over my home environment from random malicious actors on the Internet. I have no idea how secure Tado's password database infrastructure is in reality, but ultimately every infrastructure can be compromised. If your password database is leaked after a targeted attack, I want my home to be secure. I want Tado to be prepared for that scenario and actively work on preventing it as much as possible. By implementing 2FA – which really isn't rocket science anymore nowadays – you'll really make a big step forward.

    Don't overcomplicate things either – I've worked with dev teams in startups who have implemented basic 2FA within a single day using standard libraries and a simple UI workflow. In the time you've spent discussing this, you could probably have implemented it already.

    I love Tado, but security-wise you really need to wake up and ramp up your maturity.

  • I am late to this party, but am a firm candidate for this also, whether be optional or not it I should be a feature that is offered. Security is so key now! This should already be a feature and is a serious over site or lack of effort on tarp’s part.
  • MrMase

    @Jurian / @tado_mod / @Adrian (tado°) / @Germán / @Michael / @_Marie / @Kenzo / @Christoph / @Joey / @Julia / @greyMatter

    Digging up this topic again as Tado has yet to make any progress towards a clear message from your own users.

    Let this notice be warning and I know that just coming from 1 user your responses are probably going to be 'meh no issue' that as no progress is being made or community even being responded to now with at the very least a timeframe as part of the project for my households IOT technology that Tado equipment is going to be pulled out and replaced by a competitor who have already implemented MFA.

    I have already had to recommend alternative products to several friends and family due to this issue alone.

  • Joriz

    +1 for 2FA

    I want my account and data to stay safe.

    If implemented correctly 2FA only needs to be asked once or once in a while for a legitimate user. It shouldn't be hard to use. Even elderly in the Nederlands are required to use 2FA at many platforms.

    Security and 2FA should be highest priority.

  • +1 for 2FA

    Make Security a priority! Thank you.

  • 2-factor authentication not available?

    Had I known 2FA was not an option I would not have bought into the Tado environment. Now seriously overdue. Especially as this issue was raised in 2014.

    Tado, where is 2FA in your development schedule?

  • The lack of dual authentication is a concern for me. I have just done a test at home with 2 thermostatic heads and everything works fine. But I still have 21 thermostatic heads to buy and the lack of security is a concern. After reading the forum, it seems that dual authentication can be set up in two working days. So the lack of resources would not be a good argument? I also note that older people are getting help from younger people to set up security. This is how I help my 92 year old mother. The ability to control your thermostatic heads remotely means that Tado° goes through the firewall of my computer installation. Without dual authentication, it's scary for my home network, isn't it? I hope Tado doesn't wait until it's in the news to implement proper security. Its reputation will be tarnished for a long time to come.

  • Now the first request for 2FA dates back already more than 3 year. I still believe that this is a vital feature because the account allows access to sensible information. From the messages above I understand that also tado considers 2FA to be important.

    I'm very concerned and I won't recommend tado to friends. My feeling is that tado is not concerned enough about the security of my personal data which I find very disappointed. I deliberately chose a more expensive German product because I security and personal data are important for me.

  • For those finding this thread while the powers that be get their act together, alternative solutions that do have 2FA:

    • Hive
    • Nest
    • Ecobee

    Though the latter two do not offer a TRV that you can use in the way you can with Hive and Tado. Some of the other options such as Netatmo, Drayton Wiser, Genius, Honeywell seem not to offer 2FA either (unless someone here can confirm they do).

    Vote with your virtual feet.

  • tda

    I agree. 2FA should be a standard choice in all solutions, or just standard in all sites where you log in. It is a bit uncomfortable that people easily can take control of my account and my settings.

  • Personally I don't see the point in 2FA for Tado, however think it would be wise to email customers when someone logs in to your account as that's got to be simple to deliver and ensures you know if someone is trying to mess about with your heating.

  • JimH

    I would like to see this implemented as well please......

  • I think the attitude towards Cyber Security from Tado is absolutely shocking, can you imagine what their internal IT infrastructure looks like form a security perspective!

    Shame as I was about to purchase a dozen or so valves but will be forgoing those and replacing with another smart thermostat that has industry standard security.

  • Hi all

    I've just became a Tado customer and very pleased with the system...... but..... OMG no 2fa!!! Just caught up on previous comments and although I agree with their point on prioritisation fro development, I urge them to put this to the top. Working in IT security, having a long passphrase is one thing, however having MFA is that next level. We are talking about security of peoples homes!! Now knowing this I would have chosen another solution.

    I also agree with another contributor that if Tado are concerned about 2FA and people less 'techy' then give options for risk management.



  • Where is the MFA ? This is shockingly poor and so easy to implement
  • Hayrack
    edited November 2022

    2FA is a basic requirement in 2022

    It should not be a debate or something to argue for. We should not have to beg for it, nor hope for it as a Xmas present.

    Although pleased so far to the system, I have already steered 2 houses away from this system. Without 2FA, I will not be recommending this to anyone I know for installation.

    As for myself I am considering packing it all up and sending it back just for this one issue.

  • I to have become a recent customer and consider 2FA essential for any IoT system. I think this should be considered of very high importance to add and will not recommend use of tado to any friends/family until this is addressed.

  • This has been open for 3 years already! MFA is not a nice-to-have anymore, but a MUST have for any system especially for iot devices and accounts.

    Please implement this asap!

  • I also find it necessary and should no longer be postponed.

  • paul0000

    Hi all,

    I'm in agreement. MFA is super important for tado. Given the risks already highlighted in this thread (and having a cyber security background in the past) I think this should be prioritised.

    Taking an educated guess that many users use a login and password that is replicated across other applications and services. Doing your part, tado, to protect users is important. I don't feel it's on users to have a unique login/password for every site they use, more that the providers support MFA to protect us from ourselves :)

  • It is incomprehensible and inexplicable to not have mfa for such an important system anywhere after the year 2000.

    Please Tado, stop what you're doing and add a form of mfa.

    I guess one of the easiest ways is to add saml/oauth integration with existing platforms. Otherwise totp would be fine too.

  • +1 for 2FA, whatever the system is (SMS, authenticator, through the app approval...)
  • Is there any update on this @Rob ?

    Using only a password isn't safe. Look at what happend at LastPass ...

    I know that implementing 2FA can be done wrongly or in a complicated manner. But there are also many great libraries which you can use or use as inspiration for a good implementation.

  • I think tado should add 2FA as opt-in feature. So users have to option for the additional security.

    If you tell us passwords are secure. Are there any audits from third parties of your IT security? What mitigations are currently deployed against attackers brute forcing passwords? Also for the most basic security: Are passwords only saved as hashes with salt?

  • @tado - This is concerning!

    Also found it odd that the Password for the Communmity was forced to be at least 12 char long, whereas for the App itself's AC this is not enforced....Odd

    2FA is really a must in this day and age!