Nest has finally added support for two-factor authentication to help give its user accounts greater security. On the surface, this is a good idea -- and plenty of people have said as much -- but it also begs a very obvious question: What the hell took them so long?
Two-factor authentication (2FA) requires users to get a secondary code (sometimes sent via SMS, sometimes accessed through an app like Google Authenticator or Authy) before they can access their account. It adds extra security, because it forces the user to have possession of a secondary device like a smartphone, in addition to the account password. While it isn't the end-all-be-all of security -- especially if served over text messages -- it's better than nothing.
Which is why it's so curious that Nest, a division of Alphabet, didn't have this feature already. Google has offered 2FA support for its accounts since 2010, and it acquired Nest back in 2014. Moreover, when you consider that aside from thermostats, Nest's big products are its indoor and outdoor internet-connected security cameras, it's a little disconcerting that the online account that lets people remotely view what is happening on their cameras (and past recordings if you pay for that feature) wasn't covered by 2FA until now.
When we asked Nest what took so long, we got this statement back:
From the beginning, Nest products have been designed and built with security in mind, and it's a topic that we take seriously today. Nest is one of the first companies to offer two-factor authentication for smart home products, which is simply an option for customers who would like to take advantage of an additional layer of security for their Nest account. Ultimately, security is an ongoing effort requiring investment, monitoring, and innovation. Nest offers regular software updates and new features to continue to deliver the best experience to customers.
Security is most certainly "an ongoing effort", but being "one of the first companies" to offer 2FA for smart home products doesn't mean we should be patting Nest on the back, either -- it's a basic security measure.
Of course, Nest is no stranger to security issues. Back in 2016, researchers at Princeton discovered that Nest thermostats were leaking customer postcodes, and while that was a fairly minor threat, the fact that data was leaking at all wasn't a particularly comforting bit of news.
Moreover, customers have been asking for the feature at least as far back as January 2016:
@Kyle_Craft_HS Hi Kyle! If 2 factor authentication is something you'd like to see in the future, let us know here: https://t.co/1GKKVDSmod
— Nest Support (@nestsupport) January 27, 2016
Given that the whole "internet of things" ecosystem is a constant security target by bad guys just itching to get inside your house, having the option of extra security isn't a crazy thing to ask for.
On one hand, this is a "better late than never" scenario. On the other hand, if it takes an Alphabet-owned company this long to add a basic security feature, what does it say about the state of IoT as a whole?