I am still quite surprised that there is no 2FA (two factor authentication) option for our Tesla accounts. I have this enabled for pretty much every account I have that offers it. I know that even if my credentials somehow got compromised someone wouldn’t be able to add their phone as a key to my car without my key card, but I still would feel more secure knowing that 2FA is at least an option to protect access to my Tesla account on their website.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Why is there no 2FA for Tesla accounts?
- Thread starter PoitNarf
- Start date
Eno Deb
Active Member
I strongly agree. Note that even though you can't register a new phone as key without a key card, you can still steal the car if you only have the Tesla account password. I tested this by installing the Tesla app on an iPad (!) that has never been registered as a key.
1) Install app and log in using stolen password
2) Use the app to conveniently locate the vehicle you want to steal
3) If the car happens to sit in a garage, you can open it from outside via the car's Homelink function if Summon is enabled
4) Unlock the vehicle via the app
5) Use the keyless start function in the app with the stolen password to start the car
6) Drive away
1) Install app and log in using stolen password
2) Use the app to conveniently locate the vehicle you want to steal
3) If the car happens to sit in a garage, you can open it from outside via the car's Homelink function if Summon is enabled
4) Unlock the vehicle via the app
5) Use the keyless start function in the app with the stolen password to start the car
6) Drive away
Eno Deb
Active Member
Yes. There is a link on the PIN entry dialog to do just that.
BTW, you can also use the password to conveniently disable mobile app access so the owner can't track you after you stole the car ...
Eno Deb
Active Member
I'd much prefer if they just used standard TOTP (which is what Google Authenticator and many other apps use) rather than a proprietary solution.
Of course, that's what supporting 2FA means. TOTP is what Google Auth, Authy, 1Password, and all of them use internally. (I'm sure you know this, but you see apps recommending 'use Google Auth' all the time and I hate it because you can't easily back up your data from it unless that's changed recently. I wanted to clarify for the general population.)
I use a 25 character random password from 1Password and also PIN to drive on my X, so I'm not two worried about access. Anyone that doesn't use a password manager and a suitably long unique password for each account (especially including Tesla) has other issues with security!
Eno Deb
Active Member
As mentioned above, PIN to drive doesn't protect you against a thief with a stolen password. So yes, it is very important to choose a secure password and protect it well. I would also recommend not to use any 3rd party apps that require entering the Tesla password (you never know how well they protect it or if you can trust them).
I just tried it on my 3 (50.6) using a tablet that has not been authorised as a key. Using remote start and unlock, the car doesn't even prompt for the pin. Pin to drive, is useless in this scenario. At least make the thief have to enter my extremely long and complicated password one more time to disable it.
2FA is needed to close this security loophole.
2FA is needed to close this security loophole.
Yes, I read your post
If someone steals Tesla's password database, we are all in trouble. So, as I said, the issue is for people not to use crappy passwords.Beyond that, you can be as paranoid as you like about third party apps. That conversation has been done here a hundred times. Seems like we can never stop rehashing (lol) things.
DB-Cooper
Member
Duo isn't really proprietary in the sense of methods, and it's open and free for personal use and open and free to companies to integrate. It allows users the option of HOTP, SMS, Call, Push, U2F/WebAuthn, etc. It also works with things like wearables, etc. It's not the only option, I'd like to see at minimum and SMS and OTP solution. For what it's worth, the free Duo mobile app can also do TOTP just like Authenticator. I use it for a combination of things including SSH/RDP protection, Password Managers, VPN protection and legacy TOTP "Authenticator" stuff. I just named it because it's SUPER easy and open for any manufacturer/vendor (Tesla) to develop into an app/service (like a matter of minutes for a good API programmer). It's more flexible than just TOTP and provides potentially more secure options.
Eno Deb
Active Member
As long as it's standard TOTP and they don't force me to use their app I'm fine. I already have to use multiple proprietary authenticator apps and really don't want yet another one.
e-FTW
New electron smell
How about they allow you to enforce the use of biometrics for your account? I think at this point, most of us have a device that has such a feature.
In addition to Trusted Devices (MFA), it should be pretty solid.
In addition to Trusted Devices (MFA), it should be pretty solid.
TANGO SUKKA
Member
are the 3rd party apps storing login/pass in their databases or some sort of api to tesla db? if the former, their level of security is a joke and i would not use such apps.
Given that Cisco bought Duo, it’s only a matter of time before everything you like about it is gone.
NathanielHrnblwr
Member
Probably best for a more low key way of suggesting a resolution. Tweeting Elon the method to steal a Tesla seems counterproductive.!!!! Didn't realize it would be this easy to do!
We should all start tweeting Elon about this.
I disagree. The more well known the current vulnerabilities are the more likely it will grab the attention of their system admins, software developers and executives. Just look at what happened with that Group FaceTime bug that went public and Apple was forced to quickly offer an emergency patch to fix the exploit. Besides, I’ve already tweeted Elon about this but my tweet went like this:
Any plans to have 2FA for Tesla accounts?
I made no mention of any potentially exploitable situation that 2FA would solve. I’d be genuinely shocked if they weren’t already aware of how dangerous compromised Tesla account credentials would be in a theft situation.
You have a rather rudimentary understanding of security. Passwords are, fundamentally, a poor single method of security. The long ago accepted concept is “something you have” and “something you know”. Password managers combine the two, but add the layer of uniqueness to the “something you know” to every password in use. They offer benefits like telling you when a particular site has been breached and inform you to change the password. They offer a built-in mechanism for TOTP. And they offer a manageable one to use randomly generated, unique passwords for every site. If you think a password manager makes you less secure, then have at it.
Many of us now also benefit from the poor practices of almost everyone else. The chance any of my accounts will be breached and accessed is mitigated by the vast majority of people who make it easy to breach their accounts. There’s actually more security offered to those of us who use additional layers of security because so many other don’t.
Similar threads
