Multi-factor authentication is becoming increasingly common across services online. As Tesla leverages their account portal to offer more services, like add digital keys to unlock your car, it’s important that your account is secure and Tesla follow the industry’s best practice.
Today users online started reporting their Tesla account page was showing a new option for MFA, however, selecting the option takes you to https://mfa.tesla.com that is not yet live.
Update
It looks like Tesla web developers may have gone a little early, as the MFA feature is now removed from the account page on the website. This would indicate a launch is close, but they’re not yet ready for it to go live. Just prior to the MFA link being removed, I was able to get one step further into the process.
Update 2
I managed to access Tesla’s support pages for MFA setup. Below are screenshots that list the process of configuring MFA against your Tesla account.
This strongly suggests Elon’s promise to add MFA support is about to become a reality. Once live, the feature will allow you to define a mobile number where SMS confirmations are sent, to validate the person authenticating is indeed you. Alternatively, Tesla will support authentication tokens, granted through apps like Microsoft Authenticator and Google Authenticator.
Back in August, Musk responded to question on Twitter chasing a progress update. Given we’re now seeing the feature show up in account pages, it looks like that post boosted the development priority and the Tesla team is about to deliver.
Enabling MFA is a great idea for all your accounts where the service offers it. Usernames and Passwords are increasingly being compromised through phishing attacks.
While it is strongly advised you don’t re-use passwords, we know humans often take the easy route and that means many do this, in an effort to avoid having yet another password to remember. This means if a service is hacked and your credentials are leaked online, one of the first things the attacker will do is try those credentials with other services.
With MFA enabled, even if an attacker had your username and password, they’d still need the final authentication piece. A login attempt would generate a request to your phone, either by the authentication app or by SMS. Without this code, they won’t get in.
At this point, it is worth highlighting that SMS intercept hacks in the past, however enabling MFA does significantly increases the complexity of compromising an account.
It’s also worth highlighting that securing your phone with a strong password, pin, pattern, fingerprint, or face unlock is also important to ensure only you are receiving and approving the MFA authentication request.
Given your online Tesla account also has your credit card details listed to enable Supercharging payments or purchases from the Store, or in-app purchases like vehicle upgrades, it makes sense Tesla secures this as much as possible.
