I was also unpleasantly surprised by the lack of 2FA.. just make it an optional (but recommended) thing so that your "older" clients can also use the service without issues and everyone is happy. In 2021 it's no rocket science to implement this extra layer of security, there are many libraries out there ready to be used so development time should also be limited. Hope to see this feature soon. :)
I recently became a tado user and i am appalled that TADO does not have 2FA. Your website said that u use the same security as banks but every single bank uses 2FA. Your entire infrastructure has a 1 point of failure. If for some reason TADO does not proper hash users passwords or god for bid stores them plain text in a database.
Then one hack would expose every single house to the most extreme hacks possible.
A hack is not only to the detriment of it's users. Successful cyber attacks carry enormous reputational damage to a business. The negative impact can be tangible – a 2019 study reported by Forbes found that a breach can lower a company’s share price by 7%. It can be hard for the organisation to regain customers’ trust, particularly if the breach was widespread or caused by basic security errors.
In 2022, implementing 2FA is considered a hygiene factor for every professional organization dealing with sensitive personal information in online environments. It's not something that should have 'business value' or enough user requests before it is implemented. It should not be on a list of 'nice-to-haves when we have some spare dev time life', nor is it a feature for nerdy tech users only. It should be a natural part of your company's vision and motivation to protect your customer's data, and taking your customers seriously.
Only a single password separates full control over my home environment from random malicious actors on the Internet. I have no idea how secure Tado's password database infrastructure is in reality, but ultimately every infrastructure can be compromised. If your password database is leaked after a targeted attack, I want my home to be secure. I want Tado to be prepared for that scenario and actively work on preventing it as much as possible. By implementing 2FA – which really isn't rocket science anymore nowadays – you'll really make a big step forward.
Don't overcomplicate things either – I've worked with dev teams in startups who have implemented basic 2FA within a single day using standard libraries and a simple UI workflow. In the time you've spent discussing this, you could probably have implemented it already.
I love Tado, but security-wise you really need to wake up and ramp up your maturity.
@Jurian / @tado_mod / @Adrian (tado°) / @Germán / @Michael / @_Marie / @Kenzo / @Christoph / @Joey / @Julia / @greyMatter
Digging up this topic again as Tado has yet to make any progress towards a clear message from your own users.
Let this notice be warning and I know that just coming from 1 user your responses are probably going to be 'meh no issue' that as no progress is being made or community even being responded to now with at the very least a timeframe as part of the project for my households IOT technology that Tado equipment is going to be pulled out and replaced by a competitor who have already implemented MFA.
I have already had to recommend alternative products to several friends and family due to this issue alone.
+1 for 2FA
I want my account and data to stay safe.
If implemented correctly 2FA only needs to be asked once or once in a while for a legitimate user. It shouldn't be hard to use. Even elderly in the Nederlands are required to use 2FA at many platforms.
Security and 2FA should be highest priority.
Make Security a priority! Thank you.
2-factor authentication not available?
Had I known 2FA was not an option I would not have bought into the Tado environment. Now seriously overdue. Especially as this issue was raised in 2014.
Tado, where is 2FA in your development schedule?
@Swansea As this topic only has 100 votes......I would imagine that it is very low on tado°s list of priorities.....unfortunately.
The lack of dual authentication is a concern for me. I have just done a test at home with 2 thermostatic heads and everything works fine. But I still have 21 thermostatic heads to buy and the lack of security is a concern. After reading the forum, it seems that dual authentication can be set up in two working days. So the lack of resources would not be a good argument? I also note that older people are getting help from younger people to set up security. This is how I help my 92 year old mother. The ability to control your thermostatic heads remotely means that Tado° goes through the firewall of my computer installation. Without dual authentication, it's scary for my home network, isn't it? I hope Tado doesn't wait until it's in the news to implement proper security. Its reputation will be tarnished for a long time to come.
Now the first request for 2FA dates back already more than 3 year. I still believe that this is a vital feature because the account allows access to sensible information. From the messages above I understand that also tado considers 2FA to be important.
I'm very concerned and I won't recommend tado to friends. My feeling is that tado is not concerned enough about the security of my personal data which I find very disappointed. I deliberately chose a more expensive German product because I security and personal data are important for me.
For those finding this thread while the powers that be get their act together, alternative solutions that do have 2FA:
Though the latter two do not offer a TRV that you can use in the way you can with Hive and Tado. Some of the other options such as Netatmo, Drayton Wiser, Genius, Honeywell seem not to offer 2FA either (unless someone here can confirm they do).
Vote with your virtual feet.
I agree. 2FA should be a standard choice in all solutions, or just standard in all sites where you log in. It is a bit uncomfortable that people easily can take control of my account and my settings.
Personally I don't see the point in 2FA for Tado, however think it would be wise to email customers when someone logs in to your account as that's got to be simple to deliver and ensures you know if someone is trying to mess about with your heating.
I would like to see this implemented as well please......