my.tado.com : support for 2FA
Hi. There is a ETA for support 2FA for the accesso to my.tado.com ?
Given the IoT connectivity I would also really like to suggest Factor Authentication for the tado system accounts as well as for the support accounts.6
Please put me down as a +1 for 2FA/MFA. I'm a little concerned that all it would take is a password hack and a nefarious person could wreak havoc on my heating system - and/or lock me out of it.
I also note that I don't get emails when a new browser/device signs in to my account. From a security standpoint this a basic feature of most online services nowadays and would at least flag to users whether something was afoot with their account. Perhaps this could be paired with some sort of basic audit logging.7
Just a few more thoughts on this one, I guess that somebody could also get into your account and see whether you're at home or not.5
Please could you give us all an update on this. Like the posters above have said this is actually very important.4
No answer, no ETA after one and a half year?3
+1 for 2FA.
If ideas are not supported immediately by enough people they tend to drift down the pages and get forgotten about.1
+1 for 2FA.
Something like this needs to be secured/locked down.1
Thank you for bringing up the request for 2FA.
We know that a small subset of "power users" is really interested in this. However, this is not something that the mass market cares for at this time. We are waiting for the right time to start looking into this.
But please keep this topic active and keep upvoting.-7
@Jurian sorry to disagree, but I don't think 2FA/MFA is a power-user thing anymore.
Apple, MIcrosoft and Google have made this mainstream, almost every major SaaS vendor supports 2FA as either an SMS or an authenticator code - to the point that both Microsoft and Google have made their authenticators totally public domain and any software author can hook to their API to get a seed and QR code link - seriously easy for everyone.
Add to that the fact that almost everyone uses some kind of app or web based banking and it's a long time since I've been able to log on to any bank without MFA.
SAML support is everywhere, and SMS gateways cost little, but authenticator support is free. This sounds like a poor excuse. Besides, making it optional covers all the bases - turn it on if you want it.
@legsak1mbo is right in essence, users are trusting access to their home IOT to you, even the details of payment plans and other personal data. For the security of your reputation and your customers peace of mind, implementing 2FA/MFA should be high on your list.
For the record, it took one of my developers less than 2 days to roll out MFA protection on our support portal via SAML and Google/MS Authenticator and SMS. No excuses please!12
As we all know, the harsh reality in the business world is that any investment of resources has to have a perceived financial payback and to have a financial payback any idea has to be something that will become valuable to a significant percentage of key customers. If resources (such as the necessary skills and time) are not immediately available or are prioritised on other tasks that are more likely to have payback then this may sit on the shelf for sometime. The vision of a company’s senior management is critical in steering the company not just towards prosperity, but towards a better future in all respects. I hope that Tado finds the right direction. It’s hard to get a good reputation. In the world of social media it is very easy to lose it. It is obvious that there are people on this forum with certain skills and knowledge. I can only hope that Tado management manage to pick up on some of the ideas that will help to keep them up with and also to set them apart from their competitors. Hive already use 2FA.3
@Klaus_Ludwig and @Jurian
The problem here is that nobody wants security until after they have an event. Unlike poor network or server performance, there is no direct visible correlation between spend and result. With security you could spend nothing and get away with it for an extended period, or pay a lot and still get it wrong and end up with a breach.
The question here for Tado is whether they have considered the impact of GDPR on their business and their customers. Tado holds customer PII in their portal (my name, my address, a phone number and an email address). If my account becomes breached because I use a poor password, or duplicate a password I have used elsewhere, then that breach is very likely to be notifiable under GDPR because effectively Tado have "lost" my data, and I believe that Tado would have a hard time explaining that they had "taken all reasonable measures" when an email-based username and password is not really an effective defence for that data. The fine is €20,000,000 minimum, which should be sufficient incentive.
More importantly, as @Klaus_Ludwig rightly points out, social media can kill a business reputation overnight - it's really not worth the risk either way when it's really so very simple to avoid.
This is absolutely not a "power user" thing, it's a self preservation thing for your organisation, and (IMHO) a moral responsibility to your customers who may not understand some of the implications of this themselves or be able to take other steps. Equally, there is a wider question of perception - how seriously do Tado take other aspects of the digital (and physical) security if they feel it's acceptable to rely purely on email-username and password to protect data ?
I would also point out that a number of your competitors (including Hive) DO offer 2FA/MFA protection to their customers, and since SMART technology is specifically a part of the modern digital revolution, it makes no sense for a "new" style company to adopt a security posture from the "old days".10
Totally agree that the main motivating factor for implementation of 2FA/MFA controls is going to be the perceived risk of incurring a very significant GDPR fine and also the associated damage to reputation.1
@Jurian There are a lot of smart, on-the-point comments above.
A further official answer from Tado is necessary.
2-factor is NOT "power". It is de-rigeur in a world where every week we see another major international news headling about hacks and data breaches, almost always occurring because such basic precautions as 2-factor authentication were not taken.
A Tado° controlled home heating/cooling system is a "cyber-physical" system; something where I.T. can impact the real physical world. It can cause physical harm (remotely shutting off heating in a dwelling which is unoccupied during a cold snap), and can even cause medical harm (a semi-dependent person who is checked-in on ~daily could suffer hours of too-cold or too-hot before their caretaker came and found them).
2-factor isn't expensive to implement (Google Authenticator for example), and it's common enough now (Google, Microsoft, Amazon, all financial services in Europe and many in north America, etc, etc, etc, etc) that users shouldn't have much trouble with it (if it's done well).
It's long past time.
-Jay Libove, CISSP(retired), CIPP/US, CIPT, CISM(retired)7
This is in today's news:-0
Hey Tado, can we please have MFA? The fact that this is always on the internet makes me nervous. MFA is not that difficult to implement and would add a huge amount of security to the application!1
@Jurian Also disagree with you on this one, Two Factor / Multi Factor authentication is considered basic internet security these days.
Think of the following scenario:
- Tado has a data breach exposing user passwords
- Criminals gain access to the My Tado accounts of users before we are able to reset passwords
- There would be cost implications for customers should heating be ramped up (I'm pretty sure Tado would not like to foot the bill for this on customer behalf due to not investing in adequate information security standards)
- In the dead of winter the same criminals could also turn off heating the the homes where elderly and vulnerable people live who are not technically minded.
Implementing FIDO security key support would be preferable but I will concede this is more of a specialist version however at the very least OTP codes should be implemented via Authentication apps or email verification if logging in after an extended period / from a different IP address.2
00001010 ✭@Jurian I disagree with you in this regard. Myself I don’t see elderly people seeking and installing by themselves Tado products.
Why you don’t give, at least, to your customers an option to use or not MFA/2FA?
Let them (customers) to decide what to use and how to protect themselves (don’t take this decision to not implement because some of the clients - maybe a small part - don’t know about it).
There is no need to mandate that 2fa is used. Look at some of the tech firms who have lost millions of customer details and then applied 2fa, too late. Google, ubiquiti, Microsoft and many many more. I use 2fa on every account that allows it, and please remember that smart home iot hardware is is well known as a hackers goto for info or back doors. Ubiquiti introduced 2fa within a few days of a massive hack. Maybe you could as there seem to be many voices asking for it.1
I just found out, that anyone could be able to access my whole home-setup, just by logging in via a browser. This system is a ticking time-bomb. Devices need to be either: Authenticated in the local network, before accessing from abroad. Or: Secured with 2FA. This is not an option, but mandatory for critical personal infrastructure.1
@Jurian 2FA is not for power users. 2FA is for those that are prone to password-attacks and bad password-reuse (most likely not power users).1
Please don't get me wrong. I do think that 2FA is important.
The main question is, where does it stand in relation to other potential improvements?
With a limited amount of development resources, which improvements will bring the maximum amount of value to the most amount of customers?
Until 2FA is implemented, I highly suggest using a unique password that contains random characters.
I highly suggest using a password manager such as Google, Keepass, Bitwarden, Lastpass etc..
That way, you can achieve a reasonable amount of security with respect to the potential risk of someone getting access to the account.-2
@Jurian sorry for my delayed response.
In answer to your question regardless of age MFA should be considered a top priority for implementation even if not mandated as compulsory for all customers.
The above should also be considered in Tado's best interest due to the issues I outlined before where if Tado has not provided the facilities and a breach occurs involving manipulation of customer devices then it can be argued that tado is responsible for additional costs / issues arising due to negligent practices; however if the feature is available then it is down to customer choice if not enabled. Considering the expected technical ability of your customers uptake would at least be worth the development efforts and peace of mind.
You mention Last Pass and Bit Warden etc in your reply as a current user of Last Pass even if not full 2FA in the form of OTP / Security Key support you could at least go with the check Last Pass carry out of confirm access in the registered email account if using an IP address devices are currently not communicating from. This could even be made less of an issue for the less technical by using a remember device option such as that used by Valve when signing into Steam which would resolve the issue of Mobile phones away from the home due to a device thumb print, of course we would need an option on the site to sign out all devices in the event we suspect a breach ourselves.
As someone who works in the tech field and up until this issue a fan of Tado given part of my job involves internet security I struggle to recommend Tado under security grounds at present.
Your guidance on passwords is accurate and in line with recommended practices but not having 2FA is just asking for problems with this kind of technology.6
@Jurian / @tado_mod / @Adrian (tado°) / @Germán / @Michael / @_Marie / @Kenzo / @Christoph / @Joey / @Julia / @greyMatter ,
Sorry for the spam, but tryin' to get your organizations attention to 👆. (could mention more TADO colleagues, but this is a good start 😏)
2FA for a service you provide is not power user functionality it is a must nowadays, a basic hygiene factor, required to protect your customers. Definately since your services infringe on users private life AND your users cannot easily switch to a different provider considering the nature of your product. Please reconsider your priorities and get this high on your backlog.
Of course your app / functionality can always be improved, but there are no major epics i can see functionality wise that should be worked on before 2FA. (of course I cannot determine any tech debt you might have).
p.s. other than that I'm a happy Tado user and would (if 2FA is added) recommend to friends 😊
As a potential new customer of Tado finding this thread has put me off the solution.
I took the time to register an account here to give you this feedback because Tado ticks so many boxes of what I'm looking for, so it was disheartening to find out the online accounts are password protected only. I really hope this is something that can get your attention, connecting the vital infrastructure of your house to the internet is not to be taken lightly.
In general I try to avoid companies that haven’t had a security breach yet for this exact reason, it’s often only once you’ve felt the pain of such an event that the proper resources and priorities get put in place. These types of basic features missing in the frontend really make me worry about your other systems and processes that customers don’t have any insight in.1
@thursley , I fully understand and support your discission unfortunately I have invested a lot of money in this service. And in terms of service very happy however 2FA is today a necessity.
@Jurian, don't get me wrong but there is literally no excuse for not offering 2FA. Elderly? Really? Common!!! Other prio's? Well guess what, security is your number one priority period. Don't believe me, than checkout: Have I Been Pwned: Check if your email has been compromised in a data breach
I am expecting from a company like tado to have this in place. Please implement and give the right example!1
+1 Yes it’s 2021. MFA/2FA should be standard. Please don’t use SMS either if you do decide to do it.3
If I would have known that tado does not have 2FA and no other security measures in place I would not have bought into this ecosystem.
I very recently became a customer and I assumed that all these kind of companies that offer services over the internet would have 2FA per default.
There really is no excuse to not offer it. I will make sure to not let others come onboard yet as I do get asked a lot about new tech. I know many people who are eager to leave Nest and are looking for a good HomeKit native replacement. Security wise this is not done in this day and age though.1
@Jurian and @Rob, I have previously commented about this, but Tado MUST pay more attention to the community on this topic, and frankly the board of Tado need to pay attention to the safety of their business in this context, and they really need to be showing their customers that they understand the importance of the security of personal data entrusted to them and that they take it seriously.
I don't accept arguments that "it's complicated" or "it's difficult to retrofit", because it's NOT. Neither is it expensive, and even if it were, Tado could simply increase the annual fees a little to cover it.
The ONLY genuine reason for not prioritising this simple but important change is arrogance and/or stupidity. Perhaps Tado think that their product is reasonably expensive and customers won't leave over a little thing like a breach, but frankly the disruption and pain of fixing a stolen identity and the inconvenience that it brings makes replacing even £1000 of Tado equipment a no-brainer.
Stop making excuses, assign one of your devs to replacing the current web authentication layer with a proper MFA version and move into the 21st century.3
I have recently become a customer and struggle to believe this is not supported...2fa HAS to be on your Short to Medium term roadmap.5