Hi. There is a ETA for support 2FA for the accesso to my.tado.com ?
Given the IoT connectivity I would also really like to suggest Factor Authentication for the tado system accounts as well as for the support accounts.
Please put me down as a +1 for 2FA/MFA. I'm a little concerned that all it would take is a password hack and a nefarious person could wreak havoc on my heating system - and/or lock me out of it.
I also note that I don't get emails when a new browser/device signs in to my account. From a security standpoint this a basic feature of most online services nowadays and would at least flag to users whether something was afoot with their account. Perhaps this could be paired with some sort of basic audit logging.
Just a few more thoughts on this one, I guess that somebody could also get into your account and see whether you're at home or not.
Please could you give us all an update on this. Like the posters above have said this is actually very important.
No answer, no ETA after one and a half year?
+1 for 2FA.
If ideas are not supported immediately by enough people they tend to drift down the pages and get forgotten about.
+1 for 2FA.
Something like this needs to be secured/locked down.
Thank you for bringing up the request for 2FA.
We know that a small subset of "power users" is really interested in this. However, this is not something that the mass market cares for at this time. We are waiting for the right time to start looking into this.
But please keep this topic active and keep upvoting.
@Jurian sorry to disagree, but I don't think 2FA/MFA is a power-user thing anymore.
Apple, MIcrosoft and Google have made this mainstream, almost every major SaaS vendor supports 2FA as either an SMS or an authenticator code - to the point that both Microsoft and Google have made their authenticators totally public domain and any software author can hook to their API to get a seed and QR code link - seriously easy for everyone.
Add to that the fact that almost everyone uses some kind of app or web based banking and it's a long time since I've been able to log on to any bank without MFA.
SAML support is everywhere, and SMS gateways cost little, but authenticator support is free. This sounds like a poor excuse. Besides, making it optional covers all the bases - turn it on if you want it.
@legsak1mbo is right in essence, users are trusting access to their home IOT to you, even the details of payment plans and other personal data. For the security of your reputation and your customers peace of mind, implementing 2FA/MFA should be high on your list.
For the record, it took one of my developers less than 2 days to roll out MFA protection on our support portal via SAML and Google/MS Authenticator and SMS. No excuses please!
As we all know, the harsh reality in the business world is that any investment of resources has to have a perceived financial payback and to have a financial payback any idea has to be something that will become valuable to a significant percentage of key customers. If resources (such as the necessary skills and time) are not immediately available or are prioritised on other tasks that are more likely to have payback then this may sit on the shelf for sometime. The vision of a company’s senior management is critical in steering the company not just towards prosperity, but towards a better future in all respects. I hope that Tado finds the right direction. It’s hard to get a good reputation. In the world of social media it is very easy to lose it. It is obvious that there are people on this forum with certain skills and knowledge. I can only hope that Tado management manage to pick up on some of the ideas that will help to keep them up with and also to set them apart from their competitors. Hive already use 2FA.
@Klaus_Ludwig and @Jurian
The problem here is that nobody wants security until after they have an event. Unlike poor network or server performance, there is no direct visible correlation between spend and result. With security you could spend nothing and get away with it for an extended period, or pay a lot and still get it wrong and end up with a breach.
The question here for Tado is whether they have considered the impact of GDPR on their business and their customers. Tado holds customer PII in their portal (my name, my address, a phone number and an email address). If my account becomes breached because I use a poor password, or duplicate a password I have used elsewhere, then that breach is very likely to be notifiable under GDPR because effectively Tado have "lost" my data, and I believe that Tado would have a hard time explaining that they had "taken all reasonable measures" when an email-based username and password is not really an effective defence for that data. The fine is €20,000,000 minimum, which should be sufficient incentive.
More importantly, as @Klaus_Ludwig rightly points out, social media can kill a business reputation overnight - it's really not worth the risk either way when it's really so very simple to avoid.
This is absolutely not a "power user" thing, it's a self preservation thing for your organisation, and (IMHO) a moral responsibility to your customers who may not understand some of the implications of this themselves or be able to take other steps. Equally, there is a wider question of perception - how seriously do Tado take other aspects of the digital (and physical) security if they feel it's acceptable to rely purely on email-username and password to protect data ?
I would also point out that a number of your competitors (including Hive) DO offer 2FA/MFA protection to their customers, and since SMART technology is specifically a part of the modern digital revolution, it makes no sense for a "new" style company to adopt a security posture from the "old days".
Totally agree that the main motivating factor for implementation of 2FA/MFA controls is going to be the perceived risk of incurring a very significant GDPR fine and also the associated damage to reputation.
@Jurian There are a lot of smart, on-the-point comments above.
A further official answer from Tado is necessary.
2-factor is NOT "power". It is de-rigeur in a world where every week we see another major international news headling about hacks and data breaches, almost always occurring because such basic precautions as 2-factor authentication were not taken.
A Tado° controlled home heating/cooling system is a "cyber-physical" system; something where I.T. can impact the real physical world. It can cause physical harm (remotely shutting off heating in a dwelling which is unoccupied during a cold snap), and can even cause medical harm (a semi-dependent person who is checked-in on ~daily could suffer hours of too-cold or too-hot before their caretaker came and found them).
2-factor isn't expensive to implement (Google Authenticator for example), and it's common enough now (Google, Microsoft, Amazon, all financial services in Europe and many in north America, etc, etc, etc, etc) that users shouldn't have much trouble with it (if it's done well).
It's long past time.
-Jay Libove, CISSP(retired), CIPP/US, CIPT, CISM(retired)
This is in today's news:-
Hey Tado, can we please have MFA? The fact that this is always on the internet makes me nervous. MFA is not that difficult to implement and would add a huge amount of security to the application!
@Jurian Also disagree with you on this one, Two Factor / Multi Factor authentication is considered basic internet security these days.
Think of the following scenario:
Implementing FIDO security key support would be preferable but I will concede this is more of a specialist version however at the very least OTP codes should be implemented via Authentication apps or email verification if logging in after an extended period / from a different IP address.
@MrMase Thanks for your input.
I do not see elderly people adding MFA/2FA to their tado account, unless you believe that it should be set to mandatory for every tado account. Thus creating more issues for less "technical" people?
What is your view on this?
There is no need to mandate that 2fa is used. Look at some of the tech firms who have lost millions of customer details and then applied 2fa, too late. Google, ubiquiti, Microsoft and many many more. I use 2fa on every account that allows it, and please remember that smart home iot hardware is is well known as a hackers goto for info or back doors. Ubiquiti introduced 2fa within a few days of a massive hack. Maybe you could as there seem to be many voices asking for it.
I just found out, that anyone could be able to access my whole home-setup, just by logging in via a browser. This system is a ticking time-bomb. Devices need to be either: Authenticated in the local network, before accessing from abroad. Or: Secured with 2FA. This is not an option, but mandatory for critical personal infrastructure.
Please don't get me wrong. I do think that 2FA is important.
The main question is, where does it stand in relation to other potential improvements?
With a limited amount of development resources, which improvements will bring the maximum amount of value to the most amount of customers?
Until 2FA is implemented, I highly suggest using a unique password that contains random characters.
I highly suggest using a password manager such as Google, Keepass, Bitwarden, Lastpass etc..
That way, you can achieve a reasonable amount of security with respect to the potential risk of someone getting access to the account.
@Jurian sorry for my delayed response.
In answer to your question regardless of age MFA should be considered a top priority for implementation even if not mandated as compulsory for all customers.
The above should also be considered in Tado's best interest due to the issues I outlined before where if Tado has not provided the facilities and a breach occurs involving manipulation of customer devices then it can be argued that tado is responsible for additional costs / issues arising due to negligent practices; however if the feature is available then it is down to customer choice if not enabled. Considering the expected technical ability of your customers uptake would at least be worth the development efforts and peace of mind.
You mention Last Pass and Bit Warden etc in your reply as a current user of Last Pass even if not full 2FA in the form of OTP / Security Key support you could at least go with the check Last Pass carry out of confirm access in the registered email account if using an IP address devices are currently not communicating from. This could even be made less of an issue for the less technical by using a remember device option such as that used by Valve when signing into Steam which would resolve the issue of Mobile phones away from the home due to a device thumb print, of course we would need an option on the site to sign out all devices in the event we suspect a breach ourselves.
As someone who works in the tech field and up until this issue a fan of Tado given part of my job involves internet security I struggle to recommend Tado under security grounds at present.
Your guidance on passwords is accurate and in line with recommended practices but not having 2FA is just asking for problems with this kind of technology.