At long last, Nest has seen fit to enable Two-Factor Authentication (2FA) on its service. For devices that have such intimate access to your home and lives, it’s long overdue. If you have a Nest product of any kind, TURN THIS FEATURE ON NOW.
That being said, this implementation, which involves sending you a text message code that you use to log in to the app after your normal password verification, isn’t the most secure since SMS messages are able to be intercepted. I hate when people describe security measures as “better than nothing”, but there you go.
Also, while this will protect your data leaking from the app (Nest had this problem last year but patched it), I’m not certain it actually will protect the devices themselves. Last year’s massive Internet of Things hack which brought down many sites on the Internet, was achieved by breaching the security of individual devices. Don’t get me wrong, this is a good step for sure, I just think Nest and other IoT manufacturers need to go further.
I’ve tried to get comments from various home security vendors about ways to change device-level access permissions but have yet to receive a single response. Considering how many devices ship out with default logins like “admin/password” it’s a little frightening.