On our most recent IoT Podcast, Thomas called in to the voicemail hotline with a question. Technically, it was more of a plea, but it’s an important one. So we decided to help amplify Thomas’s concern with the lack of 2FA, or two-factor authentication, on smart home devices.
In Thomas’s case, it’s the Flo by Moen Smart Water Security System. According to him, Moen said it would bring 2FA support roughly a year ago, which would add more protection to his Moen account. That hasn’t happened yet.
This means on the Flo by Moen and other smart devices without 2FA support, consumers don’t have a second layer of account protection. While we often discuss IoT device exploits that require a network connection, losing control of a device account doesn’t always require network access.
Think of it this way: If a smart device is configured for remote access, as they often are, it can be accessed from anywhere in a supporting mobile app. To use that app, all you need is the account credentials. In theory, then, someone could get Thomas’s Moen account credentials and remotely disable the system monitoring without his knowledge.
With 2FA implemented, any ill-intentioned hackers would have to get through the second level of access before modifying his device. And that’s harder. 2FA often relies on a second device, dongle, USB key, or constantly rotating numeric code. Text messages are used for 2FA as well, but they’re inherently insecure.
I personally use 2FA on all of my devices and support for it is now a factor in my purchase decisions for smart home gear.
Would I care if someone got my Wyze passwords and remotely accessed my smart bulbs? I wouldn’t be happy but it wouldn’t be earth-shattering. I could simply unscrew the bulbs and/or replace them in a worst-case situation.
In the case of connected devices that can control the water flow or temperature to my home though? That poses a potential danger and, even worse, destruction. Those are the devices that I would want 2FA support on the most, so I can appreciate Thomas’s disappointment on this one.
To hear Thomas’s question in full, as well as our discussion on the topic, tune in to the IoT Podcast below:
I sit here with my original Z-wave remote and master controller from 2000 sitting here on my desk. We didn’t need any authentication because there is no internet connection to a z-wave network. Sure there might be one with the central Wink or Smartthings hubs, but not every switch or bulb like there are with today’s wifi products. We need to discourage use of wifi products, not finding ways to make them more complicated to use.