Why is there no 2FA for Tesla accounts?

[PoitNarf]

It seems to me that people against this might not understand how it would likely be implemented. The only implementation I desire is that 2FA is an option you can enable when logging into the Tesla app from a new device for the first time. If you get unexpectedly logged out of the Tesla app on your phone and re-login you would not be prompted for 2FA since Tesla has already seen your phone access your account before. Whether or not Tesla goes this route or decides on a different method remains to be seen, but my proposed implementation shouldn’t be much of a hinderance at all.

 

[brkaus]

It seems to me that people against this might not understand how it would likely be implemented. The only implementation I desire is that 2FA is an option you can enable when logging into the Tesla app from a new device for the first time. If you get unexpectedly logged out of the Tesla app on your phone and re-login you would not be prompted for 2FA since Tesla has already seen your phone access your account before. Whether or not Tesla goes this route or decides on a different method remains to be seen, but my proposed implementation shouldn’t be much of a hinderance at all.

The man in the middle attack can take advantage of that and maintain control of the session they establish. That would give them complete control from the app for whatever the duration of the trust period.

That means they can track, unlock, start the car. They probably cannot remove the PIN to drive, so that brings some safety for those that use the pin feature.

But if someone can be tricked into social engineering (enter your Tesla credentials for free supercharger WiFi) there isn’t much to help them.

Edit to add - these same people might even respond to “we have increased our security - please enter you credit card on file so we can verify your account”.

 

[ohmman]

mod note: 4 posts in a personal disagreement moved away to snippiness.

 

[PoitNarf]

The man in the middle attack can take advantage of that and maintain control of the session they establish. That would give them complete control from the app for whatever the duration of the trust period.

That means they can track, unlock, start the car. They probably cannot remove the PIN to drive, so that brings some safety for those that use the pin feature.

But if someone can be tricked into social engineering (enter your Tesla credentials for free supercharger WiFi) there isn’t much to help them.

Edit to add - these same people might even respond to “we have increased our security - please enter you credit card on file so we can verify your account”.

Granted there is no perfect solution to this. However, any method of 2FA is better than not having it at all.

 

[Eno Deb]

The man in the middle attack can take advantage of that and maintain control of the session they establish. That would give them complete control from the app for whatever the duration of the trust period.

You mean a man-in-the-middle attack between the app and Tesla's API server? That shouldn't be possible assuming they have implemented SSL correctly.

 

[brkaus]

You mean a man-in-the-middle attack between the app and Tesla's API server? That shouldn't be possible assuming they have implemented SSL correctly.

Not through the app. But they can still get a token that would allow control. Like TeslaFi and others. Correct?

As long as someone is willing to type in private info into a semi-convincing looking wifi presented web page.

I still think it's needed. But I don't think it solves as much as we would like.

 

[Eno Deb]

Not through the app. But they can still get a token that would allow control. Like TeslaFi and others. Correct?

Not sure what we are discussing right now. What @PoitNarf mentioned above is that the app could be trusted after having gone through 2FA once, i.e. after the very first 2FA login it would store some kind of security token that would subsequently allow it to bypass the second authentication step for convenience. That security token should never be accessible to a man in the middle assuming that SSL (end-to-end encryption) is used properly.

As long as someone is willing to type in private info into a semi-convincing looking wifi presented web page.

Yes, that type of attack would still be possible assuming Tesla implements "traditional" 2FA with a code that needs to be entered on the web page.

 

[mblakele]

One comment on 2FA for this is that it needs to the TOTP type where you get the code from an app (Authy, 1Password, etc) and not a text message. Beside the inherent insecurity of SMS (google it) that restricts you to one phone. Many people use one login on several devices (several cars) and if you needed to re-login would need a shared TOTP method.

Yes, you can set up different Tesla accounts for each car but that is a major pain.

It's possible to configure the same TOTP seed on multiple apps or devices. I've done it with AWS, for example.

 

[SheriffMoose]

I see this is a fairly old thread, though I just thought I'd see if anyone has heard of anymore updates since May. I just created my Tesla account on Wednesday, and I haven't found any MFA options on the Tesla website. I was hoping I'd see an option to enable it after seeing the time frame of this conversation =/

 

[CharleyBC]

I strongly agree. Note that even though you can't register a new phone as key without a key card, you can still steal the car if you only have the Tesla account password. I tested this by installing the Tesla app on an iPad (!) that has never been registered as a key.

1) Install app and log in using stolen password
2) Use the app to conveniently locate the vehicle you want to steal
3) If the car happens to sit in a garage, you can open it from outside via the car's Homelink function if Summon is enabled
4) Unlock the vehicle via the app
5) Use the keyless start function in the app with the stolen password to start the car
6) Drive away

We have PIN to Drive turned on. This thwarts you’re scenario by requiring step 5.5: Enter PIN.

 

[640k]

We have PIN to Drive turned on. This thwarts you’re scenario by requiring step 5.5: Enter PIN.

this was covered earlier:

But can't you clear the PIN if you know the Tesla account username and password?

Yes. There is a link on the PIN entry dialog to do just that.

BTW, you can also use the password to conveniently disable mobile app access so the owner can't track you after you stole the car ...

2FA is definitely not the cure-all solution but I hadn't really sat down to think about the ease of accessing a vehicle (even if you can't drive away) until it was laid out in the post you quoted. i don't personally know what the right solution is, but relying on an app for the level of security we're offered definitely has its disadvantages. even if we added biometrics to the vehicle, they would be easy to bypass.

at the end of the day, if a thief wants something, they're going to take it.that's why we pay for insurance.

 

[PoitNarf]

Finally some new info from Elon: Elon Musk on Twitter

 

[SheriffMoose]

^ That's awesome. And while I'm somewhat surprised at the level of tech knowledge people have here, I'm also not

Considering the level of integration that the Tesla account has with your vehicle and your capability to charge and authenticate with the car, I'd say its pretty critical that 2FA be enabled. Realistically, you can trust known devices like your phone for 30 days, and this will help balance the inconvenience while also adding a huge protection to your account.

Sure, if people want to steal something badly enough they can, but we should at least make it that much more difficult

 

[Pueo]

Nice to see that 2FA is coming, it really should have been available some time ago. With the Homelink ability in the app it's not just access to the car that concerns me, but more importantly the house. Other than removing the garage door opener from the car I don't see a way to prevent someone from getting in to the house as there is no PIN option like there is for driving the car itself.

Or am I missing something?

Hopefully 2FA happens in a timely fashion and doesn't use some proprietary solution.

 

[CharleyBC]

Nice to see that 2FA is coming, it really should have been available some time ago. With the Homelink ability in the app it's not just access to the car that concerns me, but more importantly the house. Other than removing the garage door opener from the car I don't see a way to prevent someone from getting in to the house as there is no PIN option like there is for driving the car itself.

Or am I missing something?

Hopefully 2FA happens in a timely fashion and doesn't use some proprietary solution.

Yeah. We do the old low-tech thing of locking the door from the garage into the house. Still not perfect, but it’s something.

 

[Deslah]

There is such a thing as overengineering. 2FA for my Tesla will be an example of such. Really hope we can disable it.

 

[iustin]

Just checking - is this now available, or still pending?

 

[PoitNarf]

Just checking - is this now available, or still pending?

* Insert wildly inaccurate time estimate from Elon here *

Nothing yet and no clue as to when it will be available.

 

[iustin]

* Insert wildly inaccurate time estimate from Elon here *

Nothing yet and no clue as to when it will be available.

Thanks. Very strange, at least for the mobile app and web site adding 2FA should be trivial. Cars maybe more tricky.

At least I guess this implies that no cars or not many have been stolen due to this…

 

[PoitNarf]

Thanks. Very strange, at least for the mobile app and web site adding 2FA should be trivial. Cars maybe more tricky.

At least I guess this implies that no cars or not many have been stolen due to this…

Read my post 8 above this one. Elon tweeted that they need to make changes to the OS used in Tesla corporate before they can tackle 2FA. All Elon said in terms of time frame is "coming soon" which can mean absolutely anything from 1 week to 1 year based on his track record.