my.tado.com : support for 2FA

Hi. There is a ETA for support 2FA for the accesso to my.tado.com ?


Best regards

79
79 votes

Active · Last Updated

«1

Comments

  • Given the IoT connectivity I would also really like to suggest Factor Authentication for the tado system accounts as well as for the support accounts.

  • Hi,

    Please put me down as a +1 for 2FA/MFA. I'm a little concerned that all it would take is a password hack and a nefarious person could wreak havoc on my heating system - and/or lock me out of it.

    I also note that I don't get emails when a new browser/device signs in to my account. From a security standpoint this a basic feature of most online services nowadays and would at least flag to users whether something was afoot with their account. Perhaps this could be paired with some sort of basic audit logging.

  • Just a few more thoughts on this one, I guess that somebody could also get into your account and see whether you're at home or not.

  • Please could you give us all an update on this. Like the posters above have said this is actually very important.

  • No answer, no ETA after one and a half year?

  • Hi @eMa,

    +1 for 2FA.

    If ideas are not supported immediately by enough people they tend to drift down the pages and get forgotten about.

  • +1 for 2FA.

    Something like this needs to be secured/locked down.

  • Thank you for bringing up the request for 2FA.


    We know that a small subset of "power users" is really interested in this. However, this is not something that the mass market cares for at this time. We are waiting for the right time to start looking into this.

    But please keep this topic active and keep upvoting.

  • Klaus_Ludwig
    Klaus_Ludwig ✭✭
    edited February 23

    As we all know, the harsh reality in the business world is that any investment of resources has to have a perceived financial payback and to have a financial payback any idea has to be something that will become valuable to a significant percentage of key customers. If resources (such as the necessary skills and time) are not immediately available or are prioritised on other tasks that are more likely to have payback then this may sit on the shelf for sometime. The vision of a company’s senior management is critical in steering the company not just towards prosperity, but towards a better future in all respects. I hope that Tado finds the right direction. It’s hard to get a good reputation. In the world of social media it is very easy to lose it. It is obvious that there are people on this forum with certain skills and knowledge. I can only hope that Tado management manage to pick up on some of the ideas that will help to keep them up with and also to set them apart from their competitors. Hive already use 2FA.

  • @XKRMonkey,

    Totally agree that the main motivating factor for implementation of 2FA/MFA controls is going to be the perceived risk of incurring a very significant GDPR fine and also the associated damage to reputation.

  • libove
    libove ✭✭

    @Jurian There are a lot of smart, on-the-point comments above.

    A further official answer from Tado is necessary.

    2-factor is NOT "power". It is de-rigeur in a world where every week we see another major international news headling about hacks and data breaches, almost always occurring because such basic precautions as 2-factor authentication were not taken.

    A Tado° controlled home heating/cooling system is a "cyber-physical" system; something where I.T. can impact the real physical world. It can cause physical harm (remotely shutting off heating in a dwelling which is unoccupied during a cold snap), and can even cause medical harm (a semi-dependent person who is checked-in on ~daily could suffer hours of too-cold or too-hot before their caretaker came and found them).

    2-factor isn't expensive to implement (Google Authenticator for example), and it's common enough now (Google, Microsoft, Amazon, all financial services in Europe and many in north America, etc, etc, etc, etc) that users shouldn't have much trouble with it (if it's done well).

    It's long past time.

    -Jay Libove, CISSP(retired), CIPP/US, CIPT, CISM(retired)

  • Hey Tado, can we please have MFA? The fact that this is always on the internet makes me nervous. MFA is not that difficult to implement and would add a huge amount of security to the application!

  • @Jurian Also disagree with you on this one, Two Factor / Multi Factor authentication is considered basic internet security these days.

    Think of the following scenario:

    • Tado has a data breach exposing user passwords
    • Criminals gain access to the My Tado accounts of users before we are able to reset passwords
    • There would be cost implications for customers should heating be ramped up (I'm pretty sure Tado would not like to foot the bill for this on customer behalf due to not investing in adequate information security standards)
    • In the dead of winter the same criminals could also turn off heating the the homes where elderly and vulnerable people live who are not technically minded.

    Implementing FIDO security key support would be preferable but I will concede this is more of a specialist version however at the very least OTP codes should be implemented via Authentication apps or email verification if logging in after an extended period / from a different IP address.

  • Jurian
    Jurian | Admin

    @MrMase Thanks for your input.

    I do not see elderly people adding MFA/2FA to their tado account, unless you believe that it should be set to mandatory for every tado account. Thus creating more issues for less "technical" people?


    What is your view on this?

  • 00001010
    00001010
    edited June 7
    @Jurian I disagree with you in this regard. Myself I don’t see elderly people seeking and installing by themselves Tado products.

    Why you don’t give, at least, to your customers an option to use or not MFA/2FA?

    Let them (customers) to decide what to use and how to protect themselves (don’t take this decision to not implement because some of the clients - maybe a small part - don’t know about it).

    Best wishes,
    VH
  • There is no need to mandate that 2fa is used. Look at some of the tech firms who have lost millions of customer details and then applied 2fa, too late. Google, ubiquiti, Microsoft and many many more. I use 2fa on every account that allows it, and please remember that smart home iot hardware is is well known as a hackers goto for info or back doors. Ubiquiti introduced 2fa within a few days of a massive hack. Maybe you could as there seem to be many voices asking for it.

  • I just found out, that anyone could be able to access my whole home-setup, just by logging in via a browser. This system is a ticking time-bomb. Devices need to be either: Authenticated in the local network, before accessing from abroad. Or: Secured with 2FA. This is not an option, but mandatory for critical personal infrastructure.

  • @Jurian 2FA is not for power users. 2FA is for those that are prone to password-attacks and bad password-reuse (most likely not power users).
  • Jurian
    Jurian | Admin
    edited June 16

    Please don't get me wrong. I do think that 2FA is important.

    The main question is, where does it stand in relation to other potential improvements?

    With a limited amount of development resources, which improvements will bring the maximum amount of value to the most amount of customers?


    Until 2FA is implemented, I highly suggest using a unique password that contains random characters.

    I highly suggest using a password manager such as Google, Keepass, Bitwarden, Lastpass etc..

    That way, you can achieve a reasonable amount of security with respect to the potential risk of someone getting access to the account.

  • Borro
    Borro
    edited November 5

    @Jurian / @tado_mod / @Adrian (tado°) / @Germán / @Michael / @_Marie / @Kenzo / @Christoph / @Joey / @Julia / @greyMatter ,

    Sorry for the spam, but tryin' to get your organizations attention to 👆. (could mention more TADO colleagues, but this is a good start 😏)

    2FA for a service you provide is not power user functionality it is a must nowadays, a basic hygiene factor, required to protect your customers. Definately since your services infringe on users private life AND your users cannot easily switch to a different provider considering the nature of your product. Please reconsider your priorities and get this high on your backlog.

    Of course your app / functionality can always be improved, but there are no major epics i can see functionality wise that should be worked on before 2FA. (of course I cannot determine any tech debt you might have).

    p.s. other than that I'm a happy Tado user and would (if 2FA is added) recommend to friends 😊

    Regards,

    Borro

  • As a potential new customer of Tado finding this thread has put me off the solution.

    I took the time to register an account here to give you this feedback because Tado ticks so many boxes of what I'm looking for, so it was disheartening to find out the online accounts are password protected only. I really hope this is something that can get your attention, connecting the vital infrastructure of your house to the internet is not to be taken lightly.

    In general I try to avoid companies that haven’t had a security breach yet for this exact reason, it’s often only once you’ve felt the pain of such an event that the proper resources and priorities get put in place. These types of basic features missing in the frontend really make me worry about your other systems and processes that customers don’t have any insight in.

  • @thursley , I fully understand and support your discission unfortunately I have invested a lot of money in this service. And in terms of service very happy however 2FA is today a necessity.

    @Jurian, don't get me wrong but there is literally no excuse for not offering 2FA. Elderly? Really? Common!!! Other prio's? Well guess what, security is your number one priority period. Don't believe me, than checkout: Have I Been Pwned: Check if your email has been compromised in a data breach

    I am expecting from a company like tado to have this in place. Please implement and give the right example!

  • +1 Yes it’s 2021. MFA/2FA should be standard. Please don’t use SMS either if you do decide to do it.
  • If I would have known that tado does not have 2FA and no other security measures in place I would not have bought into this ecosystem.

    I very recently became a customer and I assumed that all these kind of companies that offer services over the internet would have 2FA per default.

    There really is no excuse to not offer it. I will make sure to not let others come onboard yet as I do get asked a lot about new tech. I know many people who are eager to leave Nest and are looking for a good HomeKit native replacement. Security wise this is not done in this day and age though.
  • @Jurian and @Rob, I have previously commented about this, but Tado MUST pay more attention to the community on this topic, and frankly the board of Tado need to pay attention to the safety of their business in this context, and they really need to be showing their customers that they understand the importance of the security of personal data entrusted to them and that they take it seriously.

    I don't accept arguments that "it's complicated" or "it's difficult to retrofit", because it's NOT. Neither is it expensive, and even if it were, Tado could simply increase the annual fees a little to cover it.

    The ONLY genuine reason for not prioritising this simple but important change is arrogance and/or stupidity. Perhaps Tado think that their product is reasonably expensive and customers won't leave over a little thing like a breach, but frankly the disruption and pain of fixing a stolen identity and the inconvenience that it brings makes replacing even £1000 of Tado equipment a no-brainer.

    Stop making excuses, assign one of your devs to replacing the current web authentication layer with a proper MFA version and move into the 21st century.

  • I have recently become a customer and struggle to believe this is not supported...2fa HAS to be on your Short to Medium term roadmap.