Under review

Streamlined sign-in from car (e.g. 4-digit PIN)

mkolowich 3 years ago updated by EDIflyer 4 weeks ago 9

This should probably wait until we see the browser revisions that are due in the next few weeks, but once the Tesla browser is revealed, it would be great to evolve to a simple PIN-based approach to signing in to TeslaFi from the car.

How this works will depend on: whether the new browser supports cookies; whether the new browser is detectable as a Tesla browser; and whether there is a way to detect that a specific vehicle is accessing TeslaFi.

But the closer we can get to "enter a 4-digit PIN" on sign-ins subsequent to the first from the car, the better

    Or even not having to enter a PIN at all (well, an option once a cookie is set) - in many cases it'll only be the owner likely to attempt to access anyway.


    agree with this except cookies don't work in the car as far as I understand from one of the developers.


    Another app has come up with an elegant solution to this.  A signed-in user has the option to generate a URL that has a secret authentication token built into the URL as a parameter, and then bookmarks that parameterized URL rather than the general Teslafi.com URL in the car browser.  This way, whenever that bookmark is accessed in the car, Teslafi is launched and logged in.

    I'd love to see Teslafi implement this method before Autopilot drives me into a tree while I'm entering my username and password!

    Under review

    This seems like a pretty big security risk to login to your full account based on accessing with a url.  Do they have a special page that comes up when accessing directly from the url?  For example a page that doesn't allow for editing, controls and etc?


    I agree with James that it can be a security risk to just have a secret token on a URL if it gets into unauthorized hands. 

    One method done with mobile logins on a project I worked on:

    A token as mk mentions above is tagged onto the end of the url.  In this case it could be as simple as the last few digits of the car identifier.  The customer stores the URL in their favorites in the mobile device.  In this case, the Tesla's browser.  When the url is accessed, it sends a 4 digit code to the user's cell phone for them to enter on the web site.   It's not as easy as just clicking on a cryptic URL, yet still easier and faster than entering a username and password.

    Separately, I have also seen Samsung and a couple other companies use that idea to connect a smart phone to a TV for streaming.  A couple financial sites also use this method.

    At home I use a password manager program to just click on an icon and automatically login to TeslaFi, but as far as I know, there is no such thing for the Tesla browser to make logins easy.


    While on this subject, I thought I would add that one of my friends at Tesla said the Tesla browser has a unique browser signature, thus web sites can determine the browser type and realize the request is coming from a Tesla as opposed to maybe a computer browser or smart phone.   Maybe that helps with coding or maybe it doesn't.   I do agree this would be nice to have a more streamlined way of logging in from the car.  If anyone can figure this out, it will be James.   From what I see here, he is one really smart web dude!


    Problem is that the server can never be sure of the source. Identifying the browser is only good for "knowing" what capabilities that browser can support, you can't use it to ensure it's a Tesla. Browser ID can easily be spoofed. Combine this with an actual security solution maybe, but not just this.


    My 2 cents:

    Create a page which my be accessed while not logged in for external logging in. Let me explain how that can work.

    While not logged in on Tesla browser: link_session.php

    Let's say you put this page in your Tesla browser favorites and click on it. You see nothing but a large QRCode with a 4 to 6 character easy to read code and maybe a short paragraph explaining how to use this feature, few simple links to home, FAQ, legal disclaimers, etc. and logo. In the background, it's waiting for you to authenticate from another device. This QRCode is a URL which includes this single use code seen on the screen.

    While logged in on smartphone: link_session.php?verify=X3JU

    So, you are logged in already on your smartphone. You open your camera app and hold it up to the QRCode, which directs your phone to a page which now verifies your login from your smartphone and ties it to the session which generated the code. If you aren't logged in on your smartphone, you will be prompted for a login just as you would be normally before it verifies. Congrats! TeslaFi now knows both the Tesla browser and your smartphone belong to the same user and logs you in on your Tesla. This should only take mere seconds to log in using this method.

    If for some reason you can not get the URL from the QRCode, simply go to a page once logged in on your smartphone where you may enter the code clearly displayed in your Tesla browser.

    The code can expire after a short time, but it's not very necessary as the code has no association with any account until it has been verified anyway. Just allow a period of time since last verification attempt before a code may be reused. If someone keeps hitting an expired or otherwise invalid verification code, you wouldn't want to issue it to anyone unless it's been a considerable amount of time since the last attempt. Even this may not be necessary.

    I hope I explained this well.

    Yep, this is how lots of services on Smart TVs link to existing accounts, by displaying a confirmation code on screen. Key thing is to minimise the amount of typing required on the 'big screen' (in this case the Tesla browser)