Sign in / up

back to article Aah, all is well in the world. So peaceful, so– wait, where's the 2FA on IoT apps? Oh my gawd

Smart home poster child Nest has stolen a march on the rest of the smart-home industry by adding two-factor authentication to its systems. From Tuesday, owners of Nest products can tie a mobile phone to their account and so require that anyone trying to access their data has to enter a six-digital code sent by text to that …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Goolge can't even get their subsidiary use their own 2FA tools

    While I expect that this has more to do with ensuring they have your cell phone number, it is a shame that Nest didn't deploy Google Authenticator instead of SMS. Text messages fall far behind most of the other 2FA solutions. They fully depend on multiple third parties, any one of which can remove or inadvertently break security, or pass what should be a secure message with no security at all.

    On the flip side it also costs more and requires always on phone/network connectivity.

    3 0 Reply
    1. Fazal Majid
      Reply Icon

      Re: Goolge can't even get their subsidiary use their own 2FA tools

      Yes, SMS based 2FA is deprecated by the current drafts of the NIST SP 800-63-3 authentication standard, and due to be banned altogether in the next. SMS relies on the abysmal security of GSM standards and can be spoofed by a DIY Stingray involving about $2000's worth of hardware and GNU Radio.

      This is security theater at best.

      1 1 Reply
    2. theblackhand
      Reply Icon

      Re: Goolge can't even get their subsidiary use their own 2FA tools

      While you bring up many valid concerns around using mobiles for 2FA, the real issue for IoT devices isn't whether they use 2FA.

      It's the builtin accounts that aren't publicly known (yet) or the "maintenance" access with password access.

      Where the password is "changeme" or "Password"....

      4 0 Reply
      1. chuckufarley Silver badge
        Reply Icon
        Alert

        Re: Goolge can't even get their subsidiary use their own 2FA tools

        If 2FA is ever going to taken seriously by the masses it needs to be everywhere. Even on the comments section of El Reg.

        1 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Goolge can't even get their subsidiary use their own 2FA tools

          Plus the dependence on the cloud. Google or Amazon or whatever service your home automation depends on is down? Better hope you still have a non-automated way of opening your front door, or whatever it was you were expecting to do.

          2 1 Reply
          1. Tom 38
            Reply Icon

            Re: Goolge can't even get their subsidiary use their own 2FA tools

            2FA doesn't require cloud or interactivity. TOTP devices (like Google Authenticator) need to be given a secret key to be paired, after which the token device doesn't need any connectivity, it just needs to be able to tell/keep time effectively.

            Admittedly, anything Nest related relies on connectivity, but limitations of connectivity are not a barrier to implementing 2FA on any service.

            0 0 Reply
  2. Nick Kew

    Lots of hassle. Little extra security.

    "Sim swap fraud" has reached the point where a google search will turn up a whole load of stories of fraudsters beating 2FA. And that's not the techie press, it's the likes of the Torygraph, Grauniad, and BBC.

    2 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    You know what's even better than 2-factor authentication?

    Air gap.

    3 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: You know what's even better than 2-factor authentication?

      Why airgap it, when you can just omit the computer in the first place, making it even cheaper in the process?

      4 0 Reply
      1. Dave 126 Silver badge
        Reply Icon

        Re: You know what's even better than 2-factor authentication?

        As I noted this week, the established home automation systems (as used by very rich people for years) tends to be hard-wired into the house. They can afford to have the walls redecorated after installation. Not being wireless drastically reduces attack surfaces.

        Similarly, my car - like most - is a network of sensors and actuators... but it doesn't have a wireless connection to anything.

        3 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: You know what's even better than 2-factor authentication?

      My Home Appliance Control System is totally secure. I use it to control my Central Heating, the TV/Fridge/Cooker/Washing Machine - everything in fact!

      And what's this amazing device? It's called the Mark 1 Finger...

      2 0 Reply
  4. Frumious Bandersnatch

    "Your home is your safe haven"

    Pshaww! It's my castle, and nothing less.

    I will not have you denigrating the sanctity of my ancestral demesne, replacing it with the fig leaf of this "Safe Haven", as you call it.

    (Gaston, fetchez la vache)

    2 0 Reply
  5. Voland's right hand Silver badge

    Err... There will NEVER BE 2FA on true IoT

    At the bottom layer standard compliant IoT is supposedly compliant to ONVIF. The ONVIF security profile specifies a choice of two types of web auth. That's all.

    The actual device WSDL files used in the SOAP to transport ONVIF have remnants of other SOAP methods - x509, keys, etc, but again NO 2FA.

    The fundamental reason is that IoT is Machine To Machine. 2FA does not belong there. You cannot have 2FA when two dumb pieces of electronics are talking to each other. So even if we replace the horrid SOAPy abomination called ONVIF in the bottom layer, its M2M nature will stay. That means that architectural impossibility to do 2FA without a third "cloudy"/"orchestration" participant will stay too - the actual "things" do not have what it takes to do 2FA.

    2FA comes into the puzzle only once you add a cloud service and when a human authenticates to that. That is not IoT - it is the cloud service (not for local services) interface to it.

    4 1 Reply
  6. Anonymous Coward
    Anonymous Coward

    "Multi user systems"

    "That multi-user, single-system approach is critical in making two-factor auth feasible"

    The 1970s/1980s called. They said, "thank you for re-inventing one approach to how authentication is supposed to be done properly. Shame it took you so long, we were here all the time, if only you'd been willing to learn from history, rather than repeat the mistakes. And then you went and spoiled it by using not entirely ubiquitous, but entirely insecure nowadays, SMS"

    Mind you I'm still not sure what happens when there's a conflict between two authorised users e.g. who want the lounge at two very different temperatures. There are probably precedents for this as well.

    Nor am I sure about "recent tests conducted by The Register on smart home cameras, the NestCam was the only one that provided a consistent service; the others required frequent attention." - shouldn't there be a link with that? Lots of lesser things got linked in the article.

    Anyway, thanks for the info, 'tis appreciated.

    3 0 Reply
    1. Dave 126 Silver badge
      Reply Icon

      Re: "Multi user systems"

      > Mind you I'm still not sure what happens when there's a conflict between two authorised users e.g. who want the lounge at two very different temperatures. There are probably precedents for this as well.

      The computer encourages the two humans to fight to the death, or until one concedes control of the thermostat to the other.

      3 0 Reply
    2. Tom 38
      Reply Icon
      Thumb Up

      Re: "Multi user systems"

      I'm still not sure what happens when there's a conflict between two authorised users e.g. who want the lounge at two very different temperatures. There are probably precedents for this as well.

      Presumably similar to how it happens with a manual thermostat, but with less walking?

      She feels cold, checks the thermostat, tuts, changes it up, I feel warm, check the thermostat, tut, turn it back down (repeat until we go to sleep and start fighting over whether we use the thick or thin duvet)

      2 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: "Multi user systems"

        "Presumably similar to how it happens with a manual thermostat, but with less walking?"

        Plus the added opprtunity for adjusting the thermostat from the other side of the street (or the other side of the world), at leasr till the "smart meter" turns the electricity off remotely. Isn't progress wonderful.

        0 0 Reply
  7. Mage Silver badge

    Yawn

    It's irrelevant Nest / Google PR.

    Google is still getting all the info.

    Something that should not need a 3rd part server is using a 3rd party server.

    4 1 Reply
    1. Dave 126 Silver badge
      Reply Icon

      Re: Yawn

      If one searches for 'open source home automation', a few different projects will show up. I haven't looked any deeper, but the code can be audited - though of course that isn't easy.

      0 0 Reply
      1. DropBear
        Reply Icon

        Re: Yawn

        To be fair, I can see the appeal of something that Just F####ing Works. There are exactly two models of wireless* thermostatic valve in this entire region of Europe yet every single "home automation" project I checked so far failed to just present their controls to me on a GUI** even though the underlying radio lib sees and recognizes them just fine every time. I'd literally have to rewrite one of them to get them to work (considering even if they know thermostats they assume a completely different, US-centric device model), and I'm just not good enough for that... :(

        * I need the state of each so I can control the heater...

        ** I might even get by setting them from a shell script - my mom, not so much...

        0 0 Reply
  8. Fitz_

    A good move, but not the first

    Apple has required Two Factor auth for remote access to it's HomeKit solution for some time.

    0 1 Reply
    1. kierenmccarthy
      Reply Icon

      Re: A good move, but not the first

      And that is why I included several paragraphs on it in the story.

      Is it that hard to read to the end before commenting?

      Kieren

      0 0 Reply
  9. Amos1

    Good first move by Nest but it took way too long and their "family accounts" are not that good

    Before Nest killed off their community forums 2FA was a major request, probably only second to not installing firmware updates when no one was home to deal with the aftermath of borked equipment.

    I wonder when Nest will tell their customers because they haven't done that yet.

    Their Family Accounts needs work because once you set up additional accounts they all are administrators of the systems. There's no way to limit who can change what setting. Probably the best feature is that the system uses geo location and can turn on the interior cameras after everyone has left the house and turn them off when the first person comes back.

    Probably the worst feature is that they, get this, only send one alert per "zone" per camera every thirty minutes. So if your kid comes home from school and the outdoor camera tells you, anyone can break in for the next thirty minutes and the camera alerts stay off. Dumb, dumb, dumb.

    They trumpet their algorithms for motion detection but they can't automatically reset the alerts when motion in a zone has stopped for a minute? The support case I had open replied with "If your neighbor is mowing his lawn we don't want to annoy you." I replied with "So your system isn't smart enough to re-arm the sound alerts when his lawnmower stops?"

    1 0 Reply
  10. Dan 55 Silver badge
    Meh

    2FA for IoT?

    You'll be lucky if you get 1FA.

    Usually it's SFA.

    2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon