Require Two Factor Authentication for App



Require two-factor authentication when accessing the Tesla app.


The login to Tesla’s website and their app gives a lot of control of the car, things like disabling the alarm system, activate the car, unlock doors, open the trunk, and frunk and bypass security PIN to drive the car, and track the car at any moment.

Unfortunately, the login security is minimal. Making it very easy to be hacked/hijacked, giving full control to every Tesla vehicle of a certain owner.

Few methods to steal this name and password are:
* Social Engineering
* Emails that lead people to enter their username and password to compromised websites
* Apps that promise features about the car, but steal the credentials
* Fake Tesla WIFI close to Superchargers as demonstrated in this video:

To reduce the risk of the users, Tesla should add 2FA (Two Factors Authentication), U2F (Universal Two Factors), and/or MFA (Multiple Factors Authentication). Those methods have already many open-source that can be used for simpler implementation.

The 2FA can be using a token compatible with many apps, like Google Authentication, 1Password, and many others, by SMS, and/or email.

The U2F is to uses biometric or token hardware integration, like TouchID, FaceID, and others, not only to open the app but also to sign the login communication.

MFA is the possibility of using multiple factors at the same time, like requiring the token and clicking an email link before allowing the App login.

Once the user is logged in, there is no need to request this every time the app is open or the website is open on a trusted computer. However if a hacker attempt to steal the credentials, it will be fairly hard or maybe impossible for him to get a successful connection to accounts that have one or more safety features enabled.

Moderator: Seems to be a solution looking for a problem. Unaware of this ever being a real issue, although theoretically possible. Could be of value to those who don’t have good control of their phone and are unwilling to lock it. The app does have an option for fingerprint authentication.



lightly edited by moderator
Category: CY3XS Applies to:
     Created 8-May-2019


@valhalla I believe this is an optional feature, just like the fact of using the app in your phone is mostly optional since the car have key fob or (for Model 3) cards to give direct access to it.

I have never been in a situation where I needed to log in from someone's else phone, I can tell that not only to access my MX, but to anything else I use because I have 2FA enable in absolutely everything that supports it, and U2FA for highly sensitive data access.

Another thing, idk if it's possible but the Model 3 has passive NFC, maybe it could be used with Android at least as a method of U2FA, so even if someone hijacks your password, it will be useless, because to do the login it will require to communicate with the physical card key too.

Other safety measures they can enable: notify when a new device connects the account.

If there are devices already connected to the account, require authorization from one of the existing devices, or/and email link to authorize it.

Another safety way to easily implement this feature only allows to log in the app if the phone is paired with the car Bluetooth. This would prevent someone to hijack the password since they would also need to convince the owner to pair their phone with the car.

How to implement the Bluetooth pairing access to the phone app login:

  1. The user opens the app and types the username and password, goes to a waiting activation screen with details on how to pair with the Bluetooth of the car;

  2. The app can generate a private key (use the API from the phone if it has native supports because the private key will be stored in a safe chip);

  3. When the car pair with the phone and the app on the phone is open, it should send a public key using the Bluetooth to the car;

  4. The car forwards the public key using it's internal network to the car DB access;

  5. The app backend sends a challenge message to the phone;

  6. The phone uses the private key to sign it and send back to the backend;

  7. The backend validates the challenge message signature through the public key is received by the car;

  8. Then it can use JWT or even cookies (with HTTPS) to keep the session and repeat the challenge every time the session expires;

  9. The phone is logged;

If the car removes access to the phone Bluetooth, it should send that to the backend to remove the public key from the list, therefore that phone won't be able to communicate with the backend further. In the car, the Bluetooth menu can have a switch to allow the phone to remote manage the car or not. And/or screen confirmation that phone can have remote access to the car using the app.

For the 3rd party apps, on the phone, it could authorize access to the API by using intent URL, to validate the oauth2 callback request. This also would allow the owner to revoke access from those 3rd party apps, also by not giving the password to them, it will prevent them to do unethical things like hijack the user account and change its email and password.

Then Elon Musk can claim he has the most secure tech car in the world.
    Created 2-Jul-2019
ugh, this is a double edged sword, as I relay like the added security, but have at least one time needed to browow a phone to open my car, as mine had no power
    Created 2-Jul-2019
Make sure to support solid hardware based 2FA such as FIDO U2FA!

    Created 13-May-2019