TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC

Why is there no 2FA for Tesla accounts?

Discussion in 'Tesla, Inc.' started by PoitNarf, Feb 18, 2019.

  1. PoitNarf

    PoitNarf My dog's breath smells like dog food

    Joined:
    Jun 7, 2016
    Messages:
    2,853
    Location:
    NJ
    It seems to me that people against this might not understand how it would likely be implemented. The only implementation I desire is that 2FA is an option you can enable when logging into the Tesla app from a new device for the first time. If you get unexpectedly logged out of the Tesla app on your phone and re-login you would not be prompted for 2FA since Tesla has already seen your phone access your account before. Whether or not Tesla goes this route or decides on a different method remains to be seen, but my proposed implementation shouldn’t be much of a hinderance at all.
     
    • Like x 2
  2. brkaus

    brkaus Well-Known Member

    Joined:
    Jul 8, 2014
    Messages:
    7,301
    Location:
    Austin, TX
    #62 brkaus, May 12, 2019
    Last edited: May 12, 2019
    The man in the middle attack can take advantage of that and maintain control of the session they establish. That would give them complete control from the app for whatever the duration of the trust period.

    That means they can track, unlock, start the car. They probably cannot remove the PIN to drive, so that brings some safety for those that use the pin feature.

    But if someone can be tricked into social engineering (enter your Tesla credentials for free supercharger WiFi) there isn’t much to help them.

    Edit to add - these same people might even respond to “we have increased our security - please enter you credit card on file so we can verify your account”.
     
    • Disagree x 1
  3. ohmman

    ohmman Maximum Plaid Member

    Joined:
    Feb 13, 2014
    Messages:
    9,758
    Location:
    North Bay, CA
    mod note: 4 posts in a personal disagreement moved away to snippiness.
     
  4. PoitNarf

    PoitNarf My dog's breath smells like dog food

    Joined:
    Jun 7, 2016
    Messages:
    2,853
    Location:
    NJ
    Granted there is no perfect solution to this. However, any method of 2FA is better than not having it at all.
     
  5. Eno Deb

    Eno Deb Active Member

    Joined:
    Aug 17, 2018
    Messages:
    2,595
    Location:
    SF Bay Area
    You mean a man-in-the-middle attack between the app and Tesla's API server? That shouldn't be possible assuming they have implemented SSL correctly.
     
  6. brkaus

    brkaus Well-Known Member

    Joined:
    Jul 8, 2014
    Messages:
    7,301
    Location:
    Austin, TX
    Not through the app. But they can still get a token that would allow control. Like TeslaFi and others. Correct?

    As long as someone is willing to type in private info into a semi-convincing looking wifi presented web page.

    I still think it's needed. But I don't think it solves as much as we would like.
     
  7. Eno Deb

    Eno Deb Active Member

    Joined:
    Aug 17, 2018
    Messages:
    2,595
    Location:
    SF Bay Area
    Not sure what we are discussing right now. What @PoitNarf mentioned above is that the app could be trusted after having gone through 2FA once, i.e. after the very first 2FA login it would store some kind of security token that would subsequently allow it to bypass the second authentication step for convenience. That security token should never be accessible to a man in the middle assuming that SSL (end-to-end encryption) is used properly.
    Yes, that type of attack would still be possible assuming Tesla implements "traditional" 2FA with a code that needs to be entered on the web page.
     
    • Like x 1
  8. mblakele

    mblakele beep! beep!

    Joined:
    Mar 7, 2016
    Messages:
    1,647
    Location:
    SF Bay Area
    It's possible to configure the same TOTP seed on multiple apps or devices. I've done it with AWS, for example.
     
  9. SheriffMoose

    SheriffMoose Member

    Joined:
    Oct 31, 2019
    Messages:
    56
    Location:
    Virginia, US
    I see this is a fairly old thread, though I just thought I'd see if anyone has heard of anymore updates since May. I just created my Tesla account on Wednesday, and I haven't found any MFA options on the Tesla website. I was hoping I'd see an option to enable it after seeing the time frame of this conversation =/
     
    • Like x 1
    • Disagree x 1
  10. CharleyBC

    CharleyBC Active Member

    Joined:
    Jun 28, 2019
    Messages:
    1,344
    Location:
    Talent, OR
    We have PIN to Drive turned on. This thwarts you’re scenario by requiring step 5.5: Enter PIN.
     
    • Like x 1
    • Disagree x 1
  11. 640k

    640k Member

    Joined:
    Jul 15, 2019
    Messages:
    928
    Location:
    Cincinnati
    this was covered earlier:
    2FA is definitely not the cure-all solution but I hadn't really sat down to think about the ease of accessing a vehicle (even if you can't drive away) until it was laid out in the post you quoted. i don't personally know what the right solution is, but relying on an app for the level of security we're offered definitely has its disadvantages. even if we added biometrics to the vehicle, they would be easy to bypass.

    at the end of the day, if a thief wants something, they're going to take it.that's why we pay for insurance.
     
    • Like x 1
  12. PoitNarf

    PoitNarf My dog's breath smells like dog food

    Joined:
    Jun 7, 2016
    Messages:
    2,853
    Location:
    NJ
    • Disagree x 1
    • Love x 1
  13. SheriffMoose

    SheriffMoose Member

    Joined:
    Oct 31, 2019
    Messages:
    56
    Location:
    Virginia, US
    ^ That's awesome. And while I'm somewhat surprised at the level of tech knowledge people have here, I'm also not :p

    Considering the level of integration that the Tesla account has with your vehicle and your capability to charge and authenticate with the car, I'd say its pretty critical that 2FA be enabled. Realistically, you can trust known devices like your phone for 30 days, and this will help balance the inconvenience while also adding a huge protection to your account.

    Sure, if people want to steal something badly enough they can, but we should at least make it that much more difficult :)
     
    • Like x 2
    • Disagree x 1
  14. Pueo

    Pueo Member

    Joined:
    Jan 19, 2018
    Messages:
    29
    Location:
    Molokai
    Nice to see that 2FA is coming, it really should have been available some time ago. With the Homelink ability in the app it's not just access to the car that concerns me, but more importantly the house. Other than removing the garage door opener from the car I don't see a way to prevent someone from getting in to the house as there is no PIN option like there is for driving the car itself.

    Or am I missing something?

    Hopefully 2FA happens in a timely fashion and doesn't use some proprietary solution.
     
    • Like x 2
    • Disagree x 1
  15. CharleyBC

    CharleyBC Active Member

    Joined:
    Jun 28, 2019
    Messages:
    1,344
    Location:
    Talent, OR
    Yeah. We do the old low-tech thing of locking the door from the garage into the house. Still not perfect, but it’s something.
     
    • Funny x 1
  16. Deslah

    Deslah Member

    Joined:
    Jan 31, 2019
    Messages:
    67
    Location:
    Germany
    There is such a thing as overengineering. 2FA for my Tesla will be an example of such. Really hope we can disable it.
     
  17. iustin

    iustin Supporting Member

    Joined:
    Feb 5, 2020
    Messages:
    64
    Location:
    Switzerland
    Just checking - is this now available, or still pending?
     
  18. PoitNarf

    PoitNarf My dog's breath smells like dog food

    Joined:
    Jun 7, 2016
    Messages:
    2,853
    Location:
    NJ
    * Insert wildly inaccurate time estimate from Elon here *

    Nothing yet and no clue as to when it will be available.
     
    • Disagree x 1
    • Funny x 1
  19. iustin

    iustin Supporting Member

    Joined:
    Feb 5, 2020
    Messages:
    64
    Location:
    Switzerland
    Thanks. Very strange, at least for the mobile app and web site adding 2FA should be trivial. Cars maybe more tricky.

    At least I guess this implies that no cars or not many have been stolen due to this…
     
  20. PoitNarf

    PoitNarf My dog's breath smells like dog food

    Joined:
    Jun 7, 2016
    Messages:
    2,853
    Location:
    NJ
    Read my post 8 above this one. Elon tweeted that they need to make changes to the OS used in Tesla corporate before they can tackle 2FA. All Elon said in terms of time frame is "coming soon" which can mean absolutely anything from 1 week to 1 year based on his track record.
     
    • Like x 1
    • Disagree x 1

Share This Page

  • About Us

    Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.
  • Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


    SUPPORT TMC