Why is there no 2FA for Tesla accounts?

[focher]

Given that Cisco bought Duo, it’s only a matter of time before everything you like about it is gone.

Yep. I know enterprise customers who loved Duo the day before Cisco bought them, and started migration plans the day after.

If you like Cisco owning Duo, you should buy both an Amazon Echo device and a Google Home device. You will likely eventually get all the same “benefits”.

 

[Eno Deb]

are the 3rd party apps storing login/pass in their databases or some sort of api to tesla db? if the former, their level of security is a joke and i would not use such apps.

It really depends on the app. Generally, apps need to store some kind of authentication credential to be able to access the Tesla API. It's not necessarily your Tesla account password though; it is possible to create a security token that can be used to access the API. The token is more limited than the password in what you can do with it (e.g. you cannot use it to start the car or log in on Tesla's web page). So, a security-conscious app can take steps to limit the potential damage even if its credential database is compromised. The problem is you never know which ones are doing it right, and whether you can trust the developer.

 

[Atari2600]

I wish they would use NFC Yubikey, that even works with the newer iPhones now. And I see YubiKey 5 NFC was released. It could work with the app on the phone and directly with the car.

I use a combination of DUO and Yubikey for my personal stuff. And with some products I use both so I have a multi-factor backup.

Below is info for the new 5 model. I think my current NFC is limited to RSA 1024.

Yubico | YubiKey 5 NFC Security Key | USB-A & NFC

• Supported protocols: FIDO2, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response
• Crypto Algorithms: RSA 40965, RSA 30725, RSA 2048, RSA 1024, ECC p2566, ECC p3846
• Interface: USB-A and NFC
• Works on Microsoft Windows, macOS, Linux and on major browsers such as Chrome, Firefox2, Safari3, Edge7, and Opera4
• Works on mobile platforms such as iOS and Android

 

[happyzod]

are the 3rd party apps storing login/pass in their databases or some sort of api to tesla db? if the former, their level of security is a joke and i would not use such apps.

Not familiar with the API but I assume they use some sort of Token to log in. You don't need to relog into your tesla app every time you open so same idea. It is a bad idea to store plaintext passwords.

 

[Cycle11111]

I strongly agree. Note that even though you can't register a new phone as key without a key card, you can still steal the car if you only have the Tesla account password. I tested this by installing the Tesla app on an iPad (!) that has never been registered as a key.

1) Install app and log in using stolen password
2) Use the app to conveniently locate the vehicle you want to steal
3) If the car happens to sit in a garage, you can open it from outside via the car's Homelink function if Summon is enabled
4) Unlock the vehicle via the app
5) Use the keyless start function in the app with the stolen password to start the car
6) Drive away

Turn on PIN to drive and this won't lead to a stolen car

 

[Big Dog]

Note that even though you can't register a new phone as key without a key card, you can still steal the car.....

And exactly how big a problem is this? How many Telsa's have been stolen? How many are not recovered? How many chop-shops have a market for stolen Tesla parts?

I get the interest in more security, but is this a solution in search of a problem? (in comparison to the constant break-ins due to the folding back seat).

Stolen Tesla vehicles in the US have almost all been recovered: 112 out of 115

 

[nvx1977]

Turn on PIN to drive and this won't lead to a stolen car

as has been posted already, you can reset the pin using the account password, so no, 2FA at the car level is not sufficient.

 

[morrisdl]

I logged this sole complaint in my Tesla app (Android) review last year. Some of whitehats of us should definitely DM Elon. The black-hats should try Te$la or T@1ulah as his passwords. ;-)

 

[Eno Deb]

And exactly how big a problem is this? How many Telsa's have been stolen? How many are not recovered? How many chop-shops have a market for stolen Tesla parts?

I don't know and neither do you. Apparently vehicle thefts were a serious enough problem that Tesla implemented the PIN to Drive feature. I have really no idea why you are coming in here to (apparently) argue against improving the security of our $60,000 cars.

 

[Eno Deb]

Turn on PIN to drive and this won't lead to a stolen car

Wrong.

 

[brkaus]

I think 2FA has a place, but I'm concerned about being locked out of the car if something happens to my phone (where the 2FA is stored).

I use a very long password, made up of a phrase I can easily remember. I only use it on the Tesla page.

I've had my phone crash and it's a pain in the rear to reset all the google auth tokens (now I keep a printout of the bar codes at home). SMS 2FA is subject to social engineering.

The PIN to drive is a help in a specific type of attack... the radio repeater attack. That's a higher risk (IMHO) because it can be done randomly w/ little planning.

A password attack on someone is going to take a much more focused approach. Not saying it won't happen, but it feels less likely to me.

 

[GreenT]

I have never, nor would I ever, provide a 3rd party app maker with my password!
(It's bad enough supplying it to service centers )
But, seriously ... where would one GET a password from? A hack or???

People need to use strong passwords.

My passwords, for every web site, are different. Comprised of two words. Over 15 chars long.
Use leet. And an identifying formula between the words to identify the web site.
The only problem then is for companies who will not let you change a password to an already used one!
You cannot win!

 

[Eno Deb]

I think 2FA has a place, but I'm concerned about being locked out of the car if something happens to my phone (where the 2FA is stored).

I use a very long password, made up of a phrase I can easily remember. I only use it on the Tesla page.

I've had my phone crash and it's a pain in the rear to reset all the google auth tokens (now I keep a printout of the bar codes at home). SMS 2FA is subject to social engineering.

Yes, these are valid concerns. 2FA systems add a certain level of inconvenience. I assume if Tesla implemented it it would be optional, so you wouldn't have to use it if you think the inconvenience outweighs the risk. However, two tips:

• There are compatible TOTP authenticator apps that allow you to back up the secret keys that are used to generate the codes (ideally in an encrypted file), so you can restore them if you lose them or change the device without having to re-register the accounts.
  
• If you use a Google Voice number for SMS-based 2FA, you are largely protected from social engineering (SIM swap) attacks (since Google doesn't offer human support).

The PIN to drive is a help in a specific type of attack... the radio repeater attack. That's a higher risk (IMHO) because it can be done randomly w/ little planning.

It could potentially be modified to protect against the weakness discussed here, e.g. by requiring a registered key card instead of or in addition to the Tesla account password to override the PIN.

 

[PoitNarf]

I think 2FA has a place, but I'm concerned about being locked out of the car if something happens to my phone (where the 2FA is stored).

Not an issue if you carry around the key card like you should be doing already in case your phone is lost, stolen or dead.

 

[Big Dog]

I have really no idea why you are coming in here to (apparently) argue against improving the security of our $60,000 cars.

It's called an exchange of ideas. People learn from each other (hopefully)..

Apparently vehicle thefts were a serious enough problem that Tesla implemented the PIN to Drive feature.

Tesla was addressing a serious problem/flaw (see articles from last fall) and I'm willing to give them the benefit of the doubt that they have addressed it properly without 2FA. (But, I willing to learn differently.)

Tesla Model 3 rental was stolen by reusing authentication key, thief caught days later in another state

 

[Big Dog]

Yes, these are valid concerns. 2FA systems add a certain level of inconvenience. I assume if Tesla implemented it it would be optional, so you wouldn't have to use it if you think the inconvenience outweighs the risk. However, two tips:

• There are compatible TOTP authenticator apps that allow you to back up the secret keys that are used to generate the codes (ideally in an encrypted file), so you can restore them if you lose them or change the device without having to re-register the accounts.
  
• If you use a Google Voice number for SMS-based 2FA, you are largely protected from social engineering (SIM swap) attacks (since Google doesn't offer human support)

Yes, these are valid ideas --- for someone who is an expert tech person. But, Elon is trying to make a car for the masses, and 85% of folks will have absolutely no idea what you just wrote, much less will spend the time to back up secret keys.....

 

[Eno Deb]

Yes, these are valid ideas --- for someone who is an expert tech person. But, Elon is trying to make a car for the masses, and 85% of folks will have absolutely no idea what you just wrote, much less will spend the time to back up secret keys.....

And again I'm wondering what you are trying to say. "Oh no, Tesla shouldn't offer an optional security feature because it's too complicated". Nevermind that millions of Google, Amazon, Facebook etc. users seem to have no problem with TOTP-based 2FA. I seriously doubt that the average Tesla owner is any less tech savvy.

 

[Big Dog]

The OP asked a question in his/her title. I was offering a response: 1) probably not needed; 2) its not a panacea; 3) it's one thing to call apple/google to get a pw reset on your smart phone, but another thing to be trying to get into your car during a thunderstorm. Apple's permanent lockout is prolly not the best idea for Tesla.

Two-factor authentication is a mess

Of course, if the OP only wanted supporting views, I apologize.

 

[PoitNarf]

The OP asked a question in his/her title. I was offering a response: 1) probably not needed; 2) its not a panacea; 3) it's one thing to call apple/google to get a pw reset on your smart phone, but another thing to be trying to get into your car during a thunderstorm. Apple's permanent lockout is prolly not the best idea for Tesla.

Two-factor authentication is a mess

Of course, if the OP only wanted supporting views, I apologize.

I welcome all views and a good discussion about any pros and cons of implementing 2FA on Tesla accounts. As I stated a few posts up, any potential issues with somehow getting locked out of your car because 2FA on your phone is either unavailable or not working can be solved by using the key card that you should always be carrying with you anyway as a backup to your phone as key.

I'm kind of surprised I haven't heard of at least one random case of this happening with a Tesla vehicle. Perhaps no one has really attempted this yet. As discussed in the first few posts of this thread, compromised credentials can absolutely 100% be used to break into or steal a Tesla car. Just because we have seen no reports of this occurring does not mean that the threat does not exist.

I don't really see this as all that big of an obstacle either. I'm not suggesting that you need to authenticate against your Tesla account via 2FA every single time you unlock the car or use the Tesla app. If you enable 2FA it should require you to authenticate via 2FA for new logins to the Tesla app on a mobile device. I haven't had to re-login to the Tesla app on my iPhone in months so this is really not that big of a deal (to me anyway) if I have to reauth via 2FA if I ever need to re-login to the app.

Giving customers more options, especially more robust security options, is never a bad thing. If someone doesn't want to enable 2FA on their account, fine, don't enable it. But at least give those of us that know the advantages of having the additional security of 2FA the option to use it.

 

[wenkan]

The OP asked a question in his/her title. I was offering a response: 1) probably not needed; 2) its not a panacea; 3) it's one thing to call apple/google to get a pw reset on your smart phone, but another thing to be trying to get into your car during a thunderstorm. Apple's permanent lockout is prolly not the best idea for Tesla.

Two-factor authentication is a mess

Of course, if the OP only wanted supporting views, I apologize.

I think 2FA should not be used to access the car, but definitely needed when logging in on your phone App.