: support for 2FA



  • Feb 2023…still no sign of this? 😬
  • Upcott
    As someone with 25 years professional experience in cybersecurity, the last 10 of which spent educating users in sensible security, I am amazed Tado is still not offering MFA. Its fundamental in today’s IOT security standards.
    I am still waiting for it, before installing a 6 controller/zones system in my house. BUT Tado, no MFA, no sale for you. Until then, its far too vulnerable and dangerous.
  • 30th op april 2023, still no 2FA ? Welcome to the new age, please incorporate 2FA, preferably adding also a option for a Yubikey

  • dermotw

    No proper authentication - that is not a very nice piece of design!

  • Any news? Two-factor authentication is a must in 2023

  • If tado does not implement conventional 2FA, they might still consider other security enhancements.

    • Login/session history (and control)
    • Geoblocking (why an app connected with an Asian or US IP should need to control my heating).
    • Login confirmation by email or text message
    • Doubtful or new connection alert
    • using external login framework (with correct 2fa or user verification)

    (Again and again) “security” is not a luxury, it is the norm (or should be).

    Perhaps even more so in applications with implications for the physical world or controlling heating devices.

    Not implementing it is a company responsibility, in the event of damage or litigation in court. It is also a risk for the image of the company, its value, if a hack or a data leak happens one day.

  • samd
    samd ✭✭✭

    @alexisj OK but tell tado that, not us! tado have not graced us here with their presence for some considerable time.

  • SPT
    SPT ✭✭
    It's Q4 of 2023, why do you not have Duo push authentication? When you get a data breach you're going to have alot of compensation to pay your users!
  • Agreed that this is a must in today's IoT. Upvote for this issue. Any concrete plans Tado?

  • Unacceptable and absolutely bonkers that 2FA is not here yet.
  • I'm really surprised that MFA is not available yet. +1 for me.

  • Guys, cmon. This is basic.

  • woodyard
    edited November 2023
    MFA would be nice and expected as a standard today.

    Passkey would be even better.

    I can't believe there is not an option for MFA here in 2023!
  • jamesabell
    edited February 23

    No MFA in 2024 is shocking!

  • 2FA is definitely required. Come on Tado, sitting on your hands is a disastrous tactic. Every company should take heed from Blockbuster Video.
  • samd
    samd ✭✭✭

    Just a simple question but probably needs legal assistance! Now the new tado version is under trial in parts of mainland Europe, could the future see the roll out the new version with tado declaring current version no longer supported? No responsibility for MFA?

  • leewoods

    Still waiting on 2fa…seriously!

  • briand
    edited April 23

    @Jurian 2FA/MFA is not complicate TADO. Just implement IAM properly - even opensource. Really. This is 2024 now and this should be attended to.

  • cdmstr
    @samd EU Cyber Resilience Act mandates a minimum support period of 5 years for IoT devices.

    Even if tado stop selling current generation devices today, the 5 year support period takes us well past the compliance date for the CRA. In my other thread I explained why the CRA forces tado to implement MFA, and why a new generation of devices shouldn't preclude cyber control improvement to the current gen and API platform.
  • samd
    samd ✭✭✭

    @cdmstr Thankyou for that.

  • isgXLTUQUXfnPuuJRHUs

    The UK's new IoT cybersecurity law (that came into effect a few days ago) is impressively clear. Tado must comply by (specifically) implementing 2FA and other security measures as their devices/services are being actively marketed/sold in the UK. If they don't, we can simply file a legal complaint against them, and they're in risk of getting a pretty big fine.

    It's astonishing that they (a *German* company) haven't already done so after all these years. Elephant in the room, there hasn't being any/barely real world improvements being made to the smart TRVs or its app, could it be that this project is effetively on life support?

  • FFM
    FFM ✭✭

    @isgXLTUQUXfnPuuJRHUs Where did you get the 2FA (or MFA) requirement? The PSTI is, if you ask me, a pretty weak sauce. No easily guessable preset passwords, known lifetime for security updates, and a known update path.