It sounds like the actual software that facilitates giving third parties access to remotely access car diagnostics can't be ran by the car manufacturer. So while they likely envision the user controlling the authorization for their car, my point is that this third party likely has little reason or obligation to safeguard access and authorization to this data and ensure only the user can authorize access to their car.
If the automaker themselves ran the software for this, they have a financial stake to make sure it's done right, since "hyundais being remotely controlled due to bad hyundai 2fa" is not a good headline. But with a third party, it'll have to be a de-facto monopoly over access to a manufacturer's cars, so once they have the contract and are years after the initial rollout, they might cut costs and leave the authorization/authentication system to rot, or have support agents incorrectly "recovering" user accounts for themselves or being phished into doing so.
If the automaker themselves ran the software for this, they have a financial stake to make sure it's done right, since "hyundais being remotely controlled due to bad hyundai 2fa" is not a good headline. But with a third party, it'll have to be a de-facto monopoly over access to a manufacturer's cars, so once they have the contract and are years after the initial rollout, they might cut costs and leave the authorization/authentication system to rot, or have support agents incorrectly "recovering" user accounts for themselves or being phished into doing so.