Multi-factor auth

[mikehmb]

Ok, through a series of questionable life and career decisions, I'm a security person, by choice. You can decide if it was a good or bad choice, but I have less hair and a twitch in my left eye after many years of this stuff.

I'm intrigued by MFA in the truck's new SW update. It's a clever implementation, and I'm sure it will prevent all sorts of bad behavior, theft, and bring peace of mind to the paranoid among us.

But ... has no one ever dealt with a lost or dead phone before? I carry a key card in my wallet (when I bring my wallet) for backup in the event phone goes missing.

What was wrong with PIN? I would really like that as an option, despite the obvious security shortcomings of a simple 4 or 6 digit code.

What's the backup retrieval / startup method if your phone is dead/gone?

Sponsored

 

[portdirect]

I’m inclined to agree, it seems like a reasonable (though gated) TOTP - but in a place no one really asked for one. I suspect they built it for fleet use, and ‘recycled’ it to make the claim of most secure system in a consumer vehicle. Thankfully you can turn it off, but I’d take a pin any day over this for most practical usage. Security is a balance between strength and usability - here they possibly went too far, which will result in a low uptake and hence not really improve the posture as much as it could have.

Re your questions, all I can offer is /shrug, doesn’t seem to be documented anywhere obvious (though I’ve not scoured for it).

 

[Zamot]

I rarely carry my phone. Give me a key to start the car then. This is one of the dumbest things I have heard of. Will they buy my truck back.

 

[VandalSibs]

I rarely carry my phone. Give me a key to start the car then. This is one of the dumbest things I have heard of. Will they buy my truck back.

Overreacting much? You don't have to use the feature.

 

[COdogman]

Ok, through a series of questionable life and career decisions, I'm a security person, by choice. You can decide if it was a good or bad choice, but I have less hair and a twitch in my left eye after many years of this stuff.

I'm intrigued by MFA in the truck's new SW update. It's a clever implementation, and I'm sure it will prevent all sorts of bad behavior, theft, and bring peace of mind to the paranoid among us.

But ... has no one ever dealt with a lost or dead phone before? I carry a key card in my wallet (when I bring my wallet) for backup in the event phone goes missing.

What was wrong with PIN? I would really like that as an option, despite the obvious security shortcomings of a simple 4 or 6 digit code.

What's the backup retrieval / startup method if your phone is dead/gone?

I blame your kids and dog for the eye twitch. The hair is genetic!

I actually chose cybersecurity at middle age after years of being a business owner, so that is how crazy I am

One thing I have learned so far is that tools and policies are useless if people won’t use them for whatever reason. I like what they are doing by offering TOTP but if no one adopts it, the PIN would be a nice backup to have.…

 

[godfodder0901]

I blame your kids and dog for the eye twitch. The hair is genetic!

I actually chose cybersecurity at middle age after years of being a business owner, so that is how crazy I am

One thing I have learned so far is that tools and policies are useless if people won’t use them for whatever reason. I like what they are doing by offering TOTP but if no one adopts it, the PIN would be a nice backup to have.…

Yep. Finding the balance between security and usability is an art.

 

[ThumprMN]

I rarely carry my phone. Give me a key to start the car then. This is one of the dumbest things I have heard of. Will they buy my truck back.

I just called Rivian, they said they’ll trade you your truck for a 2002 Camry with an actual key and zero software updates. Win-win?

🛻

 

[tate16t]

The way Rivian implemented this definitely will not work. If you lose your phone, your shit out of luck. Even if you have your key card or keyfob, you’re still shit out of luck because you need your phone if you have MFD enabled.

 

[ohseedee]

Even worse, early Rivian owners remember when some server issue took out phone as a key for everyone for several hours. I was out of town and my card was left in the truck and couldn’t get in for hours. I’d rather risk someone hacking and stealing my car than get stranded by some MFA issue. I’ll pass.

 

[Singletracker]

Not everybody chooses to carry or has their phone with them, ALL the time. Count me as one of those people. I use the fob. However, I do have an Apple Watch, which I understand may do the trick. Even so, IMHO, Rivian way over thought this one, to the point that people probably won’t use it. They should have implemented a driver selected, reusable PIN, just like a phone. KISS

 

[CANCERDOC]

I thought the phone was the primary two factor but if the phone is not confirmed there was an option for an on screen code. I guess not?

 

[Taco]

Yep PIN to drive is the way for MFA.

Although I wouldn't be against using your phone as MFA for when you assign a PIN.

1st attempt, happy they have done something but hopefully the data says "a bit too much, let's make some adjustments"

 

[godfodder0901]

I thought the phone was the primary two factor but if the phone is not confirmed there was an option for an on screen code. I guess not?

The phone or watch are the only options. You can input a TOTP instead of the push notification, but that code is generated in the Rivian app on your phone.

 

[Tim-in-CA]

The way Rivian implemented this definitely will not work. If you lose your phone, your shit out of luck. Even if you have your key card or keyfob, you’re still shit out of luck because you need your phone if you have MFD enabled.

I wonder if customer service has the ability to remotely override for those that get into this situation?

 

[dleepnw]

MFA better be optional. Not sure how this is being implemented but I can see issues with this if we have problems with coverage, connectivity, software glitch, phone/watch dead/broken, etc.

Sponsored