Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Why is there no 2FA for Tesla accounts?

This site may earn commission on affiliate links.
#42
I am thinking about how to best protect my Model 3 with the given authentication methods.

Obvious things:
  • Strong password
  • change password periodically
  • Use PIN to drive (even if it doesn´t help when account data compromised but there are other cases, like stolen/cloned key card)
Then, Tesla uses your email adress as login name. To compromise, someone needs both that and the password. So using a non public email adress that you don´t use for anything else should help. By default, forum and account logins are the same, but can be changed individually which seems like a good idea, too. With regard to this - the Tesla account actually allows you to change your Email/Login name! Has anyone tried that? Seems like a feature I have not seen before and I am a bit afraid to lose access...

Good thing: I just changed my password to something stronger via the web browser on my laptop, and the phone instantly required me to enter the new password for access although I was already logged into the app.
 
#45
ammulder said:
Great, so then when someone grabs my phone they get both my car key AND my 2FA device...
Click to expand...
Obviously getting your car key stolen is always a problem, but they can't do anything with the 2FA codes if they don't also steal your account password, so in no case will you be worse off than you are now. Besides, assuming Tesla supports standard TOTP, there are authenticator apps that protect the codes with a passcode or biometrics.
 
#48
Eno Deb said:
Obviously getting your car key stolen is always a problem, but they can't do anything with the 2FA codes if they don't also steal your account password, so in no case will you be worse off than you are now. Besides, assuming Tesla supports standard TOTP, there are authenticator apps that protect the codes with a passcode or biometrics.
Click to expand...

Sure, I mean, it’s just kind of funny. My biggest fear (such as it is) regarding my tesla account is that if someone has my phone, they can drive away with my car. They don’t need to unlock the phone or anything, just carry it up to the car. So the ‘added security’ of sending codes to my phone, or using an app on my phone to generate codes, helps me not at all — it just makes it STILL WORSE if someone walks away with the phone!

Now, I’ve never had a phone stolen and this isn’t keeping me up at night. But I feel like if I was going to ask for one security thing, it would be for my wife’s phone to be able to instantly de-authenticate my phone and cause the car to come slowly to a stop if my phone is the ‘key’ allowing it to run. (Not to put additional weight on my phone as a security device.)
 
  • Like
Reactions: Deslah
#49
ammulder said:
Sure, I mean, it’s just kind of funny. My biggest fear (such as it is) regarding my tesla account is that if someone has my phone, they can drive away with my car.
Click to expand...
Sure. Same if they steal your wallet with the key card (or a traditional car key, for that matter). If you're really concerned about it you can use the PIN-to-Drive feature on a Tesla.
They don’t need to unlock the phone or anything, just carry it up to the car. So the ‘added security’ of sending codes to my phone, or using an app on my phone to generate codes, helps me not at all
Click to expand...
It doesn't protect against a stolen phone, but it does provide additional protection in case someone steals or hacks your password.
it just makes it STILL WORSE if someone walks away with the phone!
Click to expand...
Yes, but that has nothing to do with 2FA.
 
Last edited:
  • Like
Reactions: PoitNarf
#50
I see a lot of "be careful what you wish for" in this thread. My two cents: what we have isn't really broken, but what some of you are wishing for will needlessly add complexity and eventually break something for someone.
 
#51
Deslah said:
I see a lot of "be careful what you wish for" in this thread. My two cents: what we have isn't really broken, but what some of you are wishing for will needlessly add complexity and eventually break something for someone.
Click to expand...
In terms of security what we have is terribly broken IMO. And in case you don't care, Tesla will very likely make 2FA optional like most other companies that offer it.
 
  • Like
Reactions: jsmay311, morrisdl and PoitNarf
#52
Eno Deb said:
In terms of security what we have is terribly broken IMO. And in case you don't care, Tesla will very likely make 2FA optional like most other companies that offer it.
Click to expand...
I certainly hope so. But reality shows that most companies initially provide optional 2FA, but then ram it down everyone's throat later down the road. Apple is a perfect example of that.
 
#53
Deslah said:
I certainly hope so. But reality shows that most companies initially provide optional 2FA, but then ram it down everyone's throat later down the road. Apple is a perfect example of that.
Click to expand...
Actually Apple doesn't really force you to use it (they just don't let you turn it off if you are already use it). And I don't think "most" companies have similar policies (I can't think of a single example other than Apple?).
 
#54
Eno Deb said:
Actually Apple doesn't really force you to use it (they just don't let you turn it off if you are already use it). And I don't think "most" companies have similar policies (I can't think of a single example other than Apple?).
Click to expand...
Not going to continue this with you. I'm against 2FA in this situation. I've said my piece. Feel free to keep talking over me if you so chose.
 
#57
Eno Deb said:
In terms of security what we have is terribly broken IMO. And in case you don't care, Tesla will very likely make 2FA optional like most other companies that offer it.
Click to expand...

Exactly, any login you have today that doesn’t use 2FA is just waiting to be hacked. People use the same passwords everywhere. Once one hash is stolen and cracked, then your common password becomes readily available. Just looks at haveibeenpwned.com to see all the online services that have already lost your info.

At some point we’re going to need 3FA to combat hacking. Something you know, something you have, and something you are (face, fingerprint, etc).
 
  • Like
Reactions: PoitNarf
#58
Tesla currently has the ability to access your car to download OTA updates. They can remotely unlock the doors, give you emergency access, track your car, track your data stream from video and sensors. They can remotely diagnose any problems you might be having and even warn you if a part is acting up and arrange for you to take it into your local service and have the part waiting for you when you arrive.

Would they still have this capability with the additional personal security.
 
#60
One comment on 2FA for this is that it needs to the TOTP type where you get the code from an app (Authy, 1Password, etc) and not a text message. Beside the inherent insecurity of SMS (google it) that restricts you to one phone. Many people use one login on several devices (several cars) and if you needed to re-login would need a shared TOTP method.

Yes, you can set up different Tesla accounts for each car but that is a major pain.
 
  • Informative
Reactions: Skipdd
You must log in or register to reply here.

Similar threads

MLXXXp
Support for hardware 2FA security keys
Replies
3
Views
339
Site Feedback & Announcements
MLXXXp
MLXXXp
PianoAl
2 Users, 1 Acct, 2fa?
Replies
9
Views
526
Model 3
jjrandorin
J
D
  • Question
Adding tesla account in a grey market
Replies
6
Views
410
Tesla, Inc.
drew555
D
Transformer
Workaround to Log in to Tesla phone app with 2FA
Replies
4
Views
4K
Software: Firmware Updates, Features, Tesla App
PianoAl
PianoAl
tsmr_roadster
Non-Tesla Lease Financing Locks Tesla Account from Changes
Replies
0
Views
238
Model 3: Ordering, Production, Delivery
tsmr_roadster
tsmr_roadster
Top
Back
Blog
New
Forum list
Marketplace
Menu