Privacy and security are foundational to Nest’s mission to create a more helpful home. When you invite our products into your home, you trust us to help you solve everyday problems—whether that’s saving on your monthly energy bills, keeping an eye on things when you’re away or helping you with life’s little challenges. You want to feel safe in your home, and making sure our devices add to that sense of security is a responsibility we take very seriously.
We’re always exploring how to protect your privacy and security while also giving you control over the ease of access to your account and what you share. After all, devices like cameras and smoke alarms are essential in emergencies. However, an extra layer of defense gives you more control over your home devices in the long run by making sure only trusted people and devices can use them.
The best way to do this is by migrating to a Google account, which comes with lots of added benefits, including security protections like suspicious activity detection and Security Checkup. But for those who haven’t migrated yet, here are some new measures we’ve put in place to invest in keeping your Nest account secure.
An extra layer of protection
Two-factor authentication has long been available to all users as a way to prevent the wrong person from gaining access to your account, even if they have your username and password. Starting this spring, we’re requiring all Nest users who have not enrolled in this option or migrated to a Google account to take an extra step by verifying their identity via email. When a new login into your account is initiated, you’ll receive an email from firstname.lastname@example.org with a six-digit verification code. That code will be used to make sure it’s you trying to login. Without it, you won’t be able to access your account. This will greatly reduce the likelihood of an unauthorized person gaining access to your Nest account.
Safeguarding from automated attacks
Automated attacks like credential stuffing are becoming more common. That’s when stolen information like email addresses and passwords used on other websites are repurposed to gain unauthorized access to an account or device. Google accounts come with added protection against this, and now we’re addressing this issue for those who haven’t migrated to Google accounts. Earlier this year we began applying a Google Cloud security technology called reCAPTCHA Enterprise to Nest accounts, which detects when an automated attack is attempted and reduces the likelihood of it being successful. This safeguard is already active and you didn’t have to do anything to enable it.
Know who and when someone logs into your account
Knowing when someone has logged into your account can be all it takes to spot something potentially suspicious. Back in December we rolled out login notifications to Nest accounts, so every time someone on your account logs in you’ll receive an email notification. That way if it wasn’t you, you can take action immediately.
Here are some additional protections that we’ve been using for a while to help keep your account secure:
When you supply a password for your Nest account, we check to see if that password was potentially exposed in previously-known credential breaches outside of Google.
We proactively reset accounts when we detect suspicious activity.
We use automatic updates, don’t allow default or easy-to-guess device passwords and verified boot, which prevents your devices from running malicious code.
And finally, we suggest everyone keep these best practices in mind for their Google Nest devices:
Migrate to a Google account. In addition to security features, Nest and Google product integrations will be streamlined and work together to create seamless experiences. For example, if you have a Nest Thermostat and a Google Home, just say, “Ok Google, make it warmer.”
Enable two-factor authentication whenever possible. Millions have enabled this feature on their Nest accounts.
If you have multiple people in your non-migrated Nest household who need access to your Nest devices, create a Family account so you don’t need to share your personal credentials with anyone. Remind them to sign up for two-factor authentication, too.
Use unique passwords for every account, change them occasionally and ask people you’ve added to your devices to do the same.
Rather than memorizing your passwords, use a password manager, like the one offered in the Chrome browser. Password managers store your passwords securely and some even generate complicated passwords for you.
Avoid clicking on suspicious-looking emails and never provide personal information in response to them.
On Safer Internet Day and every day, we’ll continue to work hard to improve our devices and protect our users.