Starting this spring, Google will be requiring all Nest users who have not enrolled the two-factor authentication or migrated to a Google account to take an extra step by verifying their identity via email.
Two-factor authentication has long been available to all users as a way to prevent the wrong person from gaining access to a user's account. As part of the new security measure, when a new login into your account is initiated, you’ll receive an email from firstname.lastname@example.org with a six-digit verification code. That code will be used to make sure it’s you trying to login. Without it, you won’t be able to access your account. This will reduce the likelihood of an unauthorized person gaining access to your Nest account.
Automated attacks like credential stuffing are becoming more common. That’s when stolen information like email addresses and passwords used on other websites are repurposed to gain unauthorized access to an account or device. Google accounts come with added protection against this, and now Google is addressing this issue for those who haven’t migrated to Google accounts. Earlier this year Google began applying a Google Cloud security technology called reCAPTCHA Enterprise to Nest accounts, which detects when an automated attack is attempted and reduces the likelihood of it being successful. This safeguard is already active and you didn’t have to do anything to enable it.
Knowing when someone has logged into your account can be all it takes to spot something potentially suspicious. Back in December Google rolled out login notifications to Nest accounts, so every time someone on your account logs in you’ll receive an email notification. That way if it wasn’t you, you can take action immediately.
Here are some additional protections that Google has been using for a while to help keep your account secure:
- When you supply a password for your Nest account, Google checks to see if that password was potentially exposed in previously-known credential breaches outside of Google.
- Google reset accounts when it detects suspicious activity.
- Google uses automatic updates, don’t allow default or easy-to-guess device passwords and verified boot, which prevents your devices from running malicious code.
And finally, Google suggests everyone keep these best practices in mind for their Google Nest devices:
- Migrate to a Google account. In addition to security features, Nest and Google product integrations will be streamlined and work together. For example, if you have a Nest Thermostat and a Google Home, just say, "Ok Google, make it warmer.”
- Enable two-factor authentication whenever possible. Millions have enabled this feature on their Nest accounts.
- If you have multiple people in your non-migrated Nest household who need access to your Nest devices, create a Family account so you don't need to share your personal credentials with anyone. Remind them to sign up for two-factor authentication, too.
- Use unique passwords for every account, change them occasionally and ask people you've added to your devices to do the same.
- Rather than memorizing your passwords, use a password manager, like the one offered in the Chrome browser. Password managers store your passwords securely and some even generate complicated passwords for you.
- Check on whether your passwords or accounts have been compromised using the new tool offered by Chrome; another great tool is haveibeenpwned.com.
- Avoid clicking on suspicious-looking emails and never provide personal information in response to them.