: support for 2FA

Hi. There is a ETA for support 2FA for the accesso to ?

Best regards

65 votes

Active · Last Updated


  • Given the IoT connectivity I would also really like to suggest Factor Authentication for the tado system accounts as well as for the support accounts.

  • Hi,

    Please put me down as a +1 for 2FA/MFA. I'm a little concerned that all it would take is a password hack and a nefarious person could wreak havoc on my heating system - and/or lock me out of it.

    I also note that I don't get emails when a new browser/device signs in to my account. From a security standpoint this a basic feature of most online services nowadays and would at least flag to users whether something was afoot with their account. Perhaps this could be paired with some sort of basic audit logging.

  • Just a few more thoughts on this one, I guess that somebody could also get into your account and see whether you're at home or not.

  • Please could you give us all an update on this. Like the posters above have said this is actually very important.

  • No answer, no ETA after one and a half year?

  • Hi @eMa,

    +1 for 2FA.

    If ideas are not supported immediately by enough people they tend to drift down the pages and get forgotten about.

  • +1 for 2FA.

    Something like this needs to be secured/locked down.

  • Thank you for bringing up the request for 2FA.

    We know that a small subset of "power users" is really interested in this. However, this is not something that the mass market cares for at this time. We are waiting for the right time to start looking into this.

    But please keep this topic active and keep upvoting.

  • Klaus_Ludwig
    Klaus_Ludwig ✭✭
    edited February 23

    As we all know, the harsh reality in the business world is that any investment of resources has to have a perceived financial payback and to have a financial payback any idea has to be something that will become valuable to a significant percentage of key customers. If resources (such as the necessary skills and time) are not immediately available or are prioritised on other tasks that are more likely to have payback then this may sit on the shelf for sometime. The vision of a company’s senior management is critical in steering the company not just towards prosperity, but towards a better future in all respects. I hope that Tado finds the right direction. It’s hard to get a good reputation. In the world of social media it is very easy to lose it. It is obvious that there are people on this forum with certain skills and knowledge. I can only hope that Tado management manage to pick up on some of the ideas that will help to keep them up with and also to set them apart from their competitors. Hive already use 2FA.

  • @XKRMonkey,

    Totally agree that the main motivating factor for implementation of 2FA/MFA controls is going to be the perceived risk of incurring a very significant GDPR fine and also the associated damage to reputation.

  • @Jurian There are a lot of smart, on-the-point comments above.

    A further official answer from Tado is necessary.

    2-factor is NOT "power". It is de-rigeur in a world where every week we see another major international news headling about hacks and data breaches, almost always occurring because such basic precautions as 2-factor authentication were not taken.

    A Tado° controlled home heating/cooling system is a "cyber-physical" system; something where I.T. can impact the real physical world. It can cause physical harm (remotely shutting off heating in a dwelling which is unoccupied during a cold snap), and can even cause medical harm (a semi-dependent person who is checked-in on ~daily could suffer hours of too-cold or too-hot before their caretaker came and found them).

    2-factor isn't expensive to implement (Google Authenticator for example), and it's common enough now (Google, Microsoft, Amazon, all financial services in Europe and many in north America, etc, etc, etc, etc) that users shouldn't have much trouble with it (if it's done well).

    It's long past time.

    -Jay Libove, CISSP(retired), CIPP/US, CIPT, CISM(retired)

  • Hey Tado, can we please have MFA? The fact that this is always on the internet makes me nervous. MFA is not that difficult to implement and would add a huge amount of security to the application!

  • @Jurian Also disagree with you on this one, Two Factor / Multi Factor authentication is considered basic internet security these days.

    Think of the following scenario:

    • Tado has a data breach exposing user passwords
    • Criminals gain access to the My Tado accounts of users before we are able to reset passwords
    • There would be cost implications for customers should heating be ramped up (I'm pretty sure Tado would not like to foot the bill for this on customer behalf due to not investing in adequate information security standards)
    • In the dead of winter the same criminals could also turn off heating the the homes where elderly and vulnerable people live who are not technically minded.

    Implementing FIDO security key support would be preferable but I will concede this is more of a specialist version however at the very least OTP codes should be implemented via Authentication apps or email verification if logging in after an extended period / from a different IP address.

  • Jurian
    Jurian | Admin

    @MrMase Thanks for your input.

    I do not see elderly people adding MFA/2FA to their tado account, unless you believe that it should be set to mandatory for every tado account. Thus creating more issues for less "technical" people?

    What is your view on this?

  • 00001010
    edited June 7
    @Jurian I disagree with you in this regard. Myself I don’t see elderly people seeking and installing by themselves Tado products.

    Why you don’t give, at least, to your customers an option to use or not MFA/2FA?

    Let them (customers) to decide what to use and how to protect themselves (don’t take this decision to not implement because some of the clients - maybe a small part - don’t know about it).

    Best wishes,
  • There is no need to mandate that 2fa is used. Look at some of the tech firms who have lost millions of customer details and then applied 2fa, too late. Google, ubiquiti, Microsoft and many many more. I use 2fa on every account that allows it, and please remember that smart home iot hardware is is well known as a hackers goto for info or back doors. Ubiquiti introduced 2fa within a few days of a massive hack. Maybe you could as there seem to be many voices asking for it.

  • I just found out, that anyone could be able to access my whole home-setup, just by logging in via a browser. This system is a ticking time-bomb. Devices need to be either: Authenticated in the local network, before accessing from abroad. Or: Secured with 2FA. This is not an option, but mandatory for critical personal infrastructure.

  • @Jurian 2FA is not for power users. 2FA is for those that are prone to password-attacks and bad password-reuse (most likely not power users).
  • Jurian
    Jurian | Admin
    edited June 16

    Please don't get me wrong. I do think that 2FA is important.

    The main question is, where does it stand in relation to other potential improvements?

    With a limited amount of development resources, which improvements will bring the maximum amount of value to the most amount of customers?

    Until 2FA is implemented, I highly suggest using a unique password that contains random characters.

    I highly suggest using a password manager such as Google, Keepass, Bitwarden, Lastpass etc..

    That way, you can achieve a reasonable amount of security with respect to the potential risk of someone getting access to the account.

  • @Jurian sorry for my delayed response.

    In answer to your question regardless of age MFA should be considered a top priority for implementation even if not mandated as compulsory for all customers.

    The above should also be considered in Tado's best interest due to the issues I outlined before where if Tado has not provided the facilities and a breach occurs involving manipulation of customer devices then it can be argued that tado is responsible for additional costs / issues arising due to negligent practices; however if the feature is available then it is down to customer choice if not enabled. Considering the expected technical ability of your customers uptake would at least be worth the development efforts and peace of mind.

    You mention Last Pass and Bit Warden etc in your reply as a current user of Last Pass even if not full 2FA in the form of OTP / Security Key support you could at least go with the check Last Pass carry out of confirm access in the registered email account if using an IP address devices are currently not communicating from. This could even be made less of an issue for the less technical by using a remember device option such as that used by Valve when signing into Steam which would resolve the issue of Mobile phones away from the home due to a device thumb print, of course we would need an option on the site to sign out all devices in the event we suspect a breach ourselves.

    As someone who works in the tech field and up until this issue a fan of Tado given part of my job involves internet security I struggle to recommend Tado under security grounds at present.

    Your guidance on passwords is accurate and in line with recommended practices but not having 2FA is just asking for problems with this kind of technology.