MFA before unlock?!

[ozziegt]

Like many other posters, this has been my favorite car by far. But this problem, if it's not fixable, is a "never again" moment for me. We can't depend on a phone as a key if it doesn't behave with the same immediacy in the event of an emergency.

The proximity key would have still worked. It was just the remote functions in the app which were locked out.

Sponsored

 

[Brian A]

You might have a phone issue - I can lock/unlock directly from widget

I don't have any issues and use my phone all the time to lock/unlock/drive my '24 R1T. I have a Samsung S24 ultra so maybe Android has less issues with the app than Apple. If it matters, I'm over 50. I love the idea of using my phone to operate my truck. I do keep the card in my wallet just in case but so far no issues. It is so nice not having to carry around a fob (something extra in the pocket).

 

[cjust2006]

Very odd scenario...

You're upset that someone without their own key can't get into your car quickly? And you view that as a liability? The fact that we can open the car from the other side of the world is amazing.

I've also had the app ask me to log in for app-based features, but the PaaK still worked the whole time.

 

[Zoidz]

So true. I am 47. But I'm also a test pilot and have been for 20 years. But what do old folks like me know about safety tech.

Last time I bring a concern up here. Good luck gents.

Remote unlocking via the app is not intended by Rivian as "safety tech". Properly designed safety tech should never rely on, or be expected of, round trip public internet communications.

 

[SANZC02]

From the source

How long will two-factor authentication allow me to stay logged in?
Authorization to your Rivian web account is 1 hour by default. If you’re on a trusted device, you can extend the authorization to last 30 days.

Authorization in the Rivian app lasts 6 months. If your session expires, you’ll still be able to lock, unlock and drive your vehicle with your phone until your next log in attempt.

 

[SANZC02]

In my professional opinion, MFA should never be tied to SMS. E-mail is the better of the two options from a security standpoint.

Curious why you think this?

My take is although SMS messages are hackable E-mail is as well and there is a direct association to my email and Rivian account because the login ID is my email account. There is no way for them to directly know my phone number when trying to login into my account. I do consider the risk of SMS authentication much higher on accounts using my phone number to login.

 

[godfodder0901]

Curious why you think this?

My take is although SMS messages are hackable E-mail is as well and there is a direct association to my email and Rivian account because the login ID is my email account. There is no way for them to directly know my phone number when trying to login into my account. I do consider the risk of SMS authentication much higher on accounts using my phone number to login.

Spoofing SMS is trivial and has widely known and public exploits. E-mail is vulnerable as well (as all services and protocols are) but breaching is much more technical. Plus, most reputable email service providers have strong MFA options (Yubi Key, TOTP, passkey, etc...) and you can self-host email. SMS MFA provides very little added security.

 

[defcon888]

There was an email a few months ago that said that you need 2FA I believe it was every 90 days.

 

[Jnz]

I had to reauthenticate in the app once (in 2 1/2 years of owning my Rivian). It was also at an inconvenient time, but since it's a safety/security feature, I didn't think of it being a safety/security liability. As others have said, the easy solution if this is a major concern for you is to always have the fob or key card with you. When it happened to me, I actually had the key card in my wallet but forgot about it. Didn't remember until I had already gotten back into the app. Whelp.

Sponsored