Nest Adds Two-Step Authentication to Increase Security for Nest Cams and Thermostats

[MacRumors]

Smart home accessory company Nest today announced the addition of two-step authentication into its mobile apps for iOS and Android devices, which will act as an extra layer of security that prevents intrusions into a user's Nest account. The company said that these extra security measures can help prevent malicious access to private information, particularly camera feeds of Nest Cam products.

To activate two-step authentication, users can find a toggle menu in the Account Security settings of the official Nest app. After "2-step verification" is toggled on, users will have to sign in again by typing in a traditional email and password. Two-step authentication makes the process more secure by then texting a verification code to an approved device, which Nest owners will then have to enter into the app to gain access to their Nest products.

We all know data security is a moving target. Technology keeps advancing, but so do the people who want to break into your email, your credit card or any other account they can get their hands on. But your home is your safe haven, where private information should stay private. So today we're adding a new layer of security with the introduction of two-factor authentication.

You may have seen or used two-factor authentication before, probably to get into your email or bank account. It's simple but very effective - even if someone figures out your password, they still need to actually get their hands on your phone to get into your account. It takes a minute or two for our customers, but for hackers working from computers all over the world, things get a whole lot harder.

Nest said that this isn't the first time it has updated security across all of its products, and the company intends to continue rolling out security and privacy-focused tweaks to Nest Thermostats, Nest Protect smoke alarms, and Nest Cameras "as new technologies become available or we learn about new threats."

Article Link: Nest Adds Two-Step Authentication to Increase Security for Nest Cams and Thermostats

 

[Robert.Walter]

No HomeKit? No way!

 

[longofest]

Guys, this is not 2 factor authentication. This is two step authentication. There is a difference!

Two factor identification makes sure it is gathering two of the following:
- something you have
- something you know
- something you are
- some people also now include "somewhere you are" as an additional factor now, but this is still new

two-step is not two factor... Apple for instance had two step auth before (and still does), but then it added true two-factor auth when codes were no longer sent via text message but rather sent directly to an approved device. That allowed for two-factor to be complete (something you know - a password - and something you have - a device).

Nest's release really makes a jumble out of this by calling it both "two step" and "two factor" in simultaneously in their release. It sounds like the engineering guys are calling it "two step" correctly, but then the marketing guys got ahold of it and didn't know what they were talking about and called it two factor.

 

[EdT]

Guys, this is not 2 factor authentication. This is two step authentication. There is a difference!

Two factor identification makes sure it is gathering two of the following:
- something you have
- something you know
- something you are
- some people also now include "somewhere you are" as an additional factor now, but this is still new

two-step is not two factor... Apple for instance had two step auth before (and still does), but then it added true two-factor auth when codes were no longer sent via text message but rather sent directly to an approved device. That allowed for two-factor to be complete (something you know - a password - and something you have - a device).

Nest's release really makes a jumble out of this by calling it both "two step" and "two factor" in simultaneously in their release. It sounds like the engineering guys are calling it "two step" correctly, but then the marketing guys got ahold of it and didn't know what they were talking about and called it two factor.

Very good explanation. This should be sent/posted to Nest to see if they correct their documentation.

 

[MrX8503]

Meh. I trust HomeKit more.

 

[Crosscreek]

There is a CIA exploit for that.

 

[kuwxman]

No HomeKit? No way!

Why would they? Nest is a competitor to HomeKit.

 

[Rigby]

Guys, this is not 2 factor authentication. This is two step authentication. There is a difference!

Two factor identification makes sure it is gathering two of the following:
- something you have
- something you know
- something you are
- some people also now include "somewhere you are" as an additional factor now, but this is still new

two-step is not two factor... Apple for instance had two step auth before (and still does), but then it added true two-factor auth when codes were no longer sent via text message but rather sent directly to an approved device. That allowed for two-factor to be complete (something you know - a password - and something you have - a device).

This is not accurate. Technically, Apple's new system still isn't true two-factor authentication, because you can generate the security codes offline (using the "get verification code" function in the iCloud settings), which means the secret required to generate the codes is stored on the device and is thus technically "something you know" (you could potentially find the secret and copy it to a different device). SMS-based authentication is more "two factor" than that, since it requires having the phone (or more precisely the SIM belonging to the phone number) to receive the code.

 

[gaximus]

I just want local "Cloud" storage.

 

[mdelvecchio]

No HomeKit? No way!

I contacted Nest support to ask if they had plans to offer HomeKit, and if not why. They never responded. will not buy another from these screwups.
[doublepost=1488903777][/doublepost]

Why would they? Nest is a competitor to HomeKit.

How is it a competitor to a home automation framework? It is only a device, just like Honeywell and Ecobee which happen to support the framework.

 

[avanpelt]

Guys, this is not 2 factor authentication. This is two step authentication. There is a difference!

Two factor identification makes sure it is gathering two of the following:
- something you have
- something you know
- something you are
- some people also now include "somewhere you are" as an additional factor now, but this is still new

two-step is not two factor... Apple for instance had two step auth before (and still does), but then it added true two-factor auth when codes were no longer sent via text message but rather sent directly to an approved device. That allowed for two-factor to be complete (something you know - a password - and something you have - a device).

Nest's release really makes a jumble out of this by calling it both "two step" and "two factor" in simultaneously in their release. It sounds like the engineering guys are calling it "two step" correctly, but then the marketing guys got ahold of it and didn't know what they were talking about and called it two factor.

I don't think there's much difference between what Nest is doing and what Apple is doing.

The only difference I can see is that Apple is sending the verification code directly to the iOS device (because they can) instead of sending an SMS. Nest's approach still requires something you know (account password) and something you have (cell phone or another device that is linked to your cell number).
[doublepost=1488907283][/doublepost]

I contacted Nest support to ask if they had plans to offer HomeKit, and if not why. They never responded. will not buy another from these screwups.

One could make a cogent argument that HomeKit is "screwed up".

I've seen several posts on these forums from people who have HomeKit-enabled devices and, while they appreciate the security that HomeKit provides, they say that their HomeKit device(s) don't seem to consistently function as they should when they're being controlled with the Home app. Whether that's a problem with the Home app, HomeKit itself, or the device(s) in question, I'm not sure; but I've seen several posts talking about issues with HomeKit devices on these forums.

I don't have a dog in the fight one way or the other. I do know, however, that no one solution the best answer for everyone. This market is still in its infancy where the average consumer is concerned and there's plenty of room for competition and growth for everyone in the market.

 

[longofest]

This is not accurate. Technically, Apple's new system still isn't true two-factor authentication, because you can generate the security codes offline (using the "get verification code" function in the iCloud settings), which means the secret required to generate the codes is stored on the device and is thus technically "something you know" (you could potentially find the secret and copy it to a different device). SMS-based authentication is more "two factor" than that, since it requires having the phone (or more precisely the SIM belonging to the phone number) to receive the code.

I'm not sure that just because you generate an offline verification code that means that its not two factor... there are crypto algorithms that, while not perfect and have been proven to have vulnerabilities, they allow you to have reasonable assurance that a person has a said device... no internet connection needed.

Apple's continued use of SMS/Text is problematic. I didn't realize they still allowed you to use that in two factor mode, but you are correct. The only thing you have proven to Apple is that the phone number is yours, but that doesn't mean that someone can't be snooping in on the phone number. Given how easy it is to do so vs a push notification to a device which is much more heavily encrypted, in my opinion SMS/Text should not be considered valid for two factor.
[doublepost=1488908056][/doublepost]

I don't think there's much difference between what Nest is doing and what Apple is doing.

The only difference I can see is that Apple is sending the verification code directly to the iOS device (because they can) instead of sending an SMS. Nest's approach still requires something you know (account password) and something you have (cell phone or another device that is linked to your cell number).
[doublepost=1488907283][/doublepost]

One could make a cogent argument that HomeKit is "screwed up".

I've seen several posts on these forums from people who have HomeKit-enabled devices and, while they appreciate the security that HomeKit provides, they say that their HomeKit device(s) don't seem to consistently function as they should when they're being controlled with the Home app. Whether that's a problem with the Home app, HomeKit itself, or the device(s) in question, I'm not sure; but I've seen several posts talking about issues with HomeKit devices on these forums.

I don't have a dog in the fight one way or the other. I do know, however, that no one solution the best answer for everyone. This market is still in its infancy where the average consumer is concerned and there's plenty of room for competition and growth for everyone in the market.

It is relatively trivial to snoop on SMS/Text. This is just one method - there are others: http://www.zdnet.com/article/how-ce...intercepted-are-you-concerned-yours-might-be/

Also, SMS/Text allows for the message to be forwarded.

Notifications going directly to the device entail a great deal more encryption and are much harder to break.

 

[miknos]

Great. Now you just have to trust Google to have access to your camera!

 

[earthTOmitchel]

Guys, this is not 2 factor authentication. This is two step authentication. There is a difference!

Two factor identification makes sure it is gathering two of the following:
- something you have
- something you know
- something you are
- some people also now include "somewhere you are" as an additional factor now, but this is still new

two-step is not two factor... Apple for instance had two step auth before (and still does), but then it added true two-factor auth when codes were no longer sent via text message but rather sent directly to an approved device. That allowed for two-factor to be complete (something you know - a password - and something you have - a device).

Nest's release really makes a jumble out of this by calling it both "two step" and "two factor" in simultaneously in their release. It sounds like the engineering guys are calling it "two step" correctly, but then the marketing guys got ahold of it and didn't know what they were talking about and called it two factor.

Thanks for pointing that out, I fixed our wording to be more consistent.

 

[Rigby]

I'm not sure that just because you generate an offline verification code that means that its not two factor... there are crypto algorithms that, while not perfect and have been proven to have vulnerabilities, they allow you to have reasonable assurance that a person has a said device... no internet connection needed.

The point is that algorithms that generate one-time codes are seeded with a secret key. If you know that key, you can generate the codes. If the key is stored somewhere where it can be accessed with reasonable effort, it becomes "something you know" instead of "something you have". I don't know how much effort Apple spent to protect the key that has to reside on every trusted iOS device to allow for the offline code generation.

Apple's continued use of SMS/Text is problematic. I didn't realize they still allowed you to use that in two factor mode, but you are correct. The only thing you have proven to Apple is that the phone number is yours, but that doesn't mean that someone can't be snooping in on the phone number. Given how easy it is to do so vs a push notification to a device which is much more heavily encrypted, in my opinion SMS/Text should not be considered valid for two factor.

This has nothing to do with the question whether it's two-factor or not. This is about the security of the code delivery mechanism. I don't know anything about the internals of Apple's delivery protocol, so I can't comment whether it's more or less secure than SMS. But overall, as you point out, Apple's system can't be more secure since it allows the use of SMS to deliver codes as well in addition to push notifications and offline codes.

 

[avanpelt]

I just want local "Cloud" storage.

Not likely to happen. Cloud storage is how Nest/Google gets a recurring revenue stream. That's very valuable to them. There are pros and cons to each. Obviously, if local storage of the video was an option, you would not have the subscription fee so that's a pro for the consumer. That said, local storage has the potential to be destroyed (either on purpose or inadvertently), stolen, etc. I'm sure Google is concerned more about getting the subscription revenue, though.
[doublepost=1488910824][/doublepost]

It is relatively trivial to snoop on SMS/Text. This is just one method - there are others: http://www.zdnet.com/article/how-ce...intercepted-are-you-concerned-yours-might-be/

Also, SMS/Text allows for the message to be forwarded.

Notifications going directly to the device entail a great deal more encryption and are much harder to break.

With the method you linked to (which, I understand, is just one method) -- that's assuming I registered a standard cell number to receive the two-step verification SMS messages. I've got a VoIP line that accepts SMS and several Google Voice numbers that all obviously accept SMS. If someone wanted to find out which number I used badly enough, I'm sure they could; but most people wouldn't bother.

 

[Rigby]

With the method you linked to (which, I understand, is just one method) -- that's assuming I registered a standard cell number to receive the two-step verification SMS messages. I've got a VoIP line that accepts SMS and several Google Voice numbers that all obviously accept SMS. If someone wanted to find out which number I used badly enough, I'm sure they could; but most people wouldn't bother.

Using services that can forward SMS to other devices (e.g. via email) are far less secure than using a real mobile phone number (which is why e.g. banks often don't allow Google Voice numbers or similar for delivery of TANs). They also make it decidedly "not two-factor", since the bad guys can intercept the codes if they know your email credentials (e.g. from phishing or otherwise hacking your account).

SIMs with modern encryption specifications are actually not easy to clone (unfortunately some carriers still use SIMs with less secure old encryption methods though). The bigger risk is that hackers have sometimes been able to convince phone companies to activate a phone number on a new SIM via social engineering, or capture the SMSs via malware that is running right on the phone (particularly common on Android).

 

[gaximus]

Not likely to happen. Cloud storage is how Nest/Google gets a recurring revenue stream. That's very valuable to them. There are pros and cons to each. Obviously, if local storage of the video was an option, you would not have the subscription fee so that's a pro for the consumer. That said, local storage has the potential to be destroyed (either on purpose or inadvertently), stolen, etc. I'm sure Google is concerned more about getting the subscription revenue, though..

Agreed. But I would be willing to pay a smaller monthly fee to have local storage. But I'm probably in the minority.

 

[thewolfro]

so now only google can see what you are doing in your home it is a nice step forward though