Nest Adds Two-Step Authentication to Increase Security for Nest Cams and Thermostats

Discussion in 'iOS Blog Discussion' started by MacRumors, Mar 7, 2017.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Smart home accessory company Nest today announced the addition of two-step authentication into its mobile apps for iOS and Android devices, which will act as an extra layer of security that prevents intrusions into a user's Nest account. The company said that these extra security measures can help prevent malicious access to private information, particularly camera feeds of Nest Cam products.

    To activate two-step authentication, users can find a toggle menu in the Account Security settings of the official Nest app. After "2-step verification" is toggled on, users will have to sign in again by typing in a traditional email and password. Two-step authentication makes the process more secure by then texting a verification code to an approved device, which Nest owners will then have to enter into the app to gain access to their Nest products.

    [​IMG]
    Nest said that this isn't the first time it has updated security across all of its products, and the company intends to continue rolling out security and privacy-focused tweaks to Nest Thermostats, Nest Protect smoke alarms, and Nest Cameras "as new technologies become available or we learn about new threats."

    Article Link: Nest Adds Two-Step Authentication to Increase Security for Nest Cams and Thermostats
     
  2. Robert.Walter macrumors 65816

    Joined:
    Jul 10, 2012
  3. longofest Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #3
    Guys, this is not 2 factor authentication. This is two step authentication. There is a difference!

    Two factor identification makes sure it is gathering two of the following:
    - something you have
    - something you know
    - something you are
    - some people also now include "somewhere you are" as an additional factor now, but this is still new

    two-step is not two factor... Apple for instance had two step auth before (and still does), but then it added true two-factor auth when codes were no longer sent via text message but rather sent directly to an approved device. That allowed for two-factor to be complete (something you know - a password - and something you have - a device).

    Nest's release really makes a jumble out of this by calling it both "two step" and "two factor" in simultaneously in their release. It sounds like the engineering guys are calling it "two step" correctly, but then the marketing guys got ahold of it and didn't know what they were talking about and called it two factor.
     
  4. EdT macrumors 68000

    EdT

    Joined:
    Mar 11, 2007
    Location:
    Omaha, NE
    #4
    Very good explanation. This should be sent/posted to Nest to see if they correct their documentation.
     
  5. MrX8503 macrumors 68020

    Joined:
    Sep 19, 2010
  6. Crosscreek macrumors 68030

    Crosscreek

    Joined:
    Nov 19, 2013
    Location:
    Margarittaville
  7. kuwxman macrumors 6502a

    kuwxman

    Joined:
    Jul 25, 2009
    Location:
    Olathe, KS
    #7
    Why would they? Nest is a competitor to HomeKit.
     
  8. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #8
    This is not accurate. Technically, Apple's new system still isn't true two-factor authentication, because you can generate the security codes offline (using the "get verification code" function in the iCloud settings), which means the secret required to generate the codes is stored on the device and is thus technically "something you know" (you could potentially find the secret and copy it to a different device). SMS-based authentication is more "two factor" than that, since it requires having the phone (or more precisely the SIM belonging to the phone number) to receive the code.
     
  9. gaximus macrumors 6502a

    Joined:
    Oct 11, 2011
  10. mdelvecchio macrumors 68040

    mdelvecchio

    Joined:
    Sep 3, 2010
    #10
    I contacted Nest support to ask if they had plans to offer HomeKit, and if not why. They never responded. will not buy another from these screwups.
    --- Post Merged, Mar 7, 2017 ---
    How is it a competitor to a home automation framework? It is only a device, just like Honeywell and Ecobee which happen to support the framework.
     
  11. avanpelt, Mar 7, 2017
    Last edited: Mar 7, 2017

    avanpelt macrumors 68030

    Joined:
    Jun 2, 2010
    #11
    I don't think there's much difference between what Nest is doing and what Apple is doing.

    The only difference I can see is that Apple is sending the verification code directly to the iOS device (because they can) instead of sending an SMS. Nest's approach still requires something you know (account password) and something you have (cell phone or another device that is linked to your cell number).
    --- Post Merged, Mar 7, 2017 ---
    One could make a cogent argument that HomeKit is "screwed up".

    I've seen several posts on these forums from people who have HomeKit-enabled devices and, while they appreciate the security that HomeKit provides, they say that their HomeKit device(s) don't seem to consistently function as they should when they're being controlled with the Home app. Whether that's a problem with the Home app, HomeKit itself, or the device(s) in question, I'm not sure; but I've seen several posts talking about issues with HomeKit devices on these forums.

    I don't have a dog in the fight one way or the other. I do know, however, that no one solution the best answer for everyone. This market is still in its infancy where the average consumer is concerned and there's plenty of room for competition and growth for everyone in the market.
     
  12. longofest Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #12
    I'm not sure that just because you generate an offline verification code that means that its not two factor... there are crypto algorithms that, while not perfect and have been proven to have vulnerabilities, they allow you to have reasonable assurance that a person has a said device... no internet connection needed.

    Apple's continued use of SMS/Text is problematic. I didn't realize they still allowed you to use that in two factor mode, but you are correct. The only thing you have proven to Apple is that the phone number is yours, but that doesn't mean that someone can't be snooping in on the phone number. Given how easy it is to do so vs a push notification to a device which is much more heavily encrypted, in my opinion SMS/Text should not be considered valid for two factor.
    --- Post Merged, Mar 7, 2017 ---
    It is relatively trivial to snoop on SMS/Text. This is just one method - there are others: http://www.zdnet.com/article/how-ce...intercepted-are-you-concerned-yours-might-be/

    Also, SMS/Text allows for the message to be forwarded.

    Notifications going directly to the device entail a great deal more encryption and are much harder to break.
     
  13. miknos Suspended

    miknos

    Joined:
    Mar 14, 2008
    #13
    Great. Now you just have to trust Google to have access to your camera!
     
  14. earthTOmitchel Contributing Editor

    earthTOmitchel

    Staff Member

    Joined:
    Mar 6, 2015
    Location:
    Louisiana
    #14
    Thanks for pointing that out, I fixed our wording to be more consistent.
     
  15. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #15
    The point is that algorithms that generate one-time codes are seeded with a secret key. If you know that key, you can generate the codes. If the key is stored somewhere where it can be accessed with reasonable effort, it becomes "something you know" instead of "something you have". I don't know how much effort Apple spent to protect the key that has to reside on every trusted iOS device to allow for the offline code generation.
    This has nothing to do with the question whether it's two-factor or not. This is about the security of the code delivery mechanism. I don't know anything about the internals of Apple's delivery protocol, so I can't comment whether it's more or less secure than SMS. But overall, as you point out, Apple's system can't be more secure since it allows the use of SMS to deliver codes as well in addition to push notifications and offline codes.
     
  16. avanpelt macrumors 68030

    Joined:
    Jun 2, 2010
    #16
    Not likely to happen. Cloud storage is how Nest/Google gets a recurring revenue stream. That's very valuable to them. There are pros and cons to each. Obviously, if local storage of the video was an option, you would not have the subscription fee so that's a pro for the consumer. That said, local storage has the potential to be destroyed (either on purpose or inadvertently), stolen, etc. I'm sure Google is concerned more about getting the subscription revenue, though.
    --- Post Merged, Mar 7, 2017 ---
    With the method you linked to (which, I understand, is just one method) -- that's assuming I registered a standard cell number to receive the two-step verification SMS messages. I've got a VoIP line that accepts SMS and several Google Voice numbers that all obviously accept SMS. If someone wanted to find out which number I used badly enough, I'm sure they could; but most people wouldn't bother.
     
  17. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #17
    Using services that can forward SMS to other devices (e.g. via email) are far less secure than using a real mobile phone number (which is why e.g. banks often don't allow Google Voice numbers or similar for delivery of TANs). They also make it decidedly "not two-factor", since the bad guys can intercept the codes if they know your email credentials (e.g. from phishing or otherwise hacking your account).

    SIMs with modern encryption specifications are actually not easy to clone (unfortunately some carriers still use SIMs with less secure old encryption methods though). The bigger risk is that hackers have sometimes been able to convince phone companies to activate a phone number on a new SIM via social engineering, or capture the SMSs via malware that is running right on the phone (particularly common on Android).
     
  18. gaximus macrumors 6502a

    Joined:
    Oct 11, 2011
    #18
    Agreed. But I would be willing to pay a smaller monthly fee to have local storage. But I'm probably in the minority.
     
  19. thewolfro macrumors member

    Joined:
    Aug 27, 2009
    #19
    so now only google can see what you are doing in your home :) it is a nice step forward though
     

Share This Page

18 March 7, 2017