Aah, all is well in the world. So peaceful, so– wait, where's the 2FA on IoT apps? Oh my gawd
Nest adds two-factor auth – where's the rest of 'em?
Smart home poster child Nest has stolen a march on the rest of the smart-home industry by adding two-factor authentication to its systems.
From Tuesday, owners of Nest products can tie a mobile phone to their account and so require that anyone trying to access their data has to enter a six-digital code sent by text to that phone.
Although this approach is increasingly common for important online service such as email and bank accounts, the internet-of-things (IoT) marketplace has so far lived up to its appalling security reputation and failed to do likewise.
The vast majority of IoT and smart home products only require a username and password to log in to user accounts – something that is particularly concerning given that IoT products often provide extremely valuable and personal data about people's daily habits.
"Your home is your safe haven, where private information should stay private," said Nest's chief product officer Matt Rogers in a blog post announcing the change. He added, "Keeping your data safe is hugely important to us. And we're going to keep working to protect it."
For many smart home companies, the lack of two-factor auth is compounded by minimal restrictions on the password choice, so people are given every opportunity to prove how idiotic they can be by choosing terrible and easily guessed passwords.
And then of course there are the appalling security practices within the products themselves, such as failing to encrypt account or Wi-Fi passwords or communications between mobile phones and IoT devices.
In that respect, Nest continues to mark itself out as a leader in the smart home market. In recent tests conducted by The Register on smart home cameras, the NestCam was the only one that provided a consistent service; the others required frequent attention.
Nest's software also stands out thanks to intelligent analysis of data – particularly video – which makes the per-month subscription model that many IoT companies are trying to push on consumers worthwhile, rather than an expensive, glorified cloud storage system.
In addition, Nest is one of only a few smart home companies that has taken a smart approach to user accounts – allowing users to set up their own individual accounts and then connect them to the same home system, rather than the lazy workaround of setting up users under a single account.
That multi-user, single-home approach is critical in making two-factor auth feasible – otherwise everyone wanting to access an account would have to ask whoever has the phone tied to the account for the access code each time.
We tested Nest's new two-factor auth system and it worked simply and quickly. It also didn't require you to log in with a code sent to your phone when you are using that same phone – something that can be a hassle with other two-factor systems.
Nest is of course not the only company that currently offers two-factor authentication. Apple does too. Although Apple inadvertently highlighted just how complicated it can be to combine that additional level of security with easy use.
Living in an Apple universe
Apple's HomeKit system not only requires you to have the latest iOS operating system (v10), but you also need to own the latest version of the AppleTV (4th generation) and set up both your iCloud account and your mobile app for two-factor authentication to get it all working together. Unsurprisingly, users have reported that it is too much trouble to bother with.
There is another reason why having two-factor authentication on a smart home system is a good signpost for consumers: all too often IoT companies have hardware experience but are sorely lacking in software skills (even Samsung has failed miserably at this). Two-factor authentication not only demonstrates some degree of technical prowess, it also shows that the company will be constantly updating and monitoring its systems.
One of the biggest concerns about IoT devices – not just for users but also for internet engineers – is that poor security systems and unpatched, poorly maintained software is an open door to hackers.
Two of the biggest denial-of-service attacks ever recorded were recently put down to hacked IoT devices. Kids toys have been found to be leaking millions of hours of recordings. And then of course, there was the insecure toilet roll holder – which for many summed up the entire market in one go. ®