23
Votes

Two-Factor Authentication (2FA) / Multi-Factor Authentication

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12
 
23
Votes

Two-Factor Authentication (2FA) / Multi-Factor Authentication

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Two-Factor Authentication (2FA) / Multi-Factor Authentication
Two-Factor Authentication (2FA) / Multi-Factor Authentication
2020-10-08 10:45:56 - last edited 2023-02-27 18:56:47
Model: Archer AX6000  
Hardware Version: V1
Firmware Version:

Let me share a recent experience I had just to maybe convince the urgency and importance of having a Multi-Factor Authentication feature, even if it's just Two-Factor Authentication (2FA), for Internet-enabled devices:

I'm an owner of a new TP-Link Archer AX6000 WiFi Router along with a couple of Tapo Smart Plugs.


Archer AX6000, Tapo P105 & 2 x P100:

 

I had to replace my battered Asus RT-AC68U as the main Router as it has already been showing some issues that cannot be fixed by any hard reset. Even one of our Smart TV suddenly started displaying random Chinese characters on its Youtube App's interface when plugged into the LAN Port of that Router. Anyhow, the RT-AC68U has served us for about 4 years and still continue to do so now as an isolated secondary Router for "R&D" purposes.

 

Our malware-infected Smart TV:

 

Aside from this, please know that our Internet Service Provider's (ISP) WAN IP still continually receives a barrage of DDOS attacks and Port Scans. Changing the Modem's configuration to "Bridge" mode and then replacing our old Router with something more modern seems to have temporarily fixed the slowdown and intermittent Internet connection. It looks like using the Archer AX6000, even with the missing DOS Protection feature, has somewhat helped alleviate the problem even if I can't see any attacks now in the router's System Log when compared to what was previously being shown in our ISP's Modem

 

Our ISP Modem's Old Log:

 

Furthermore, when I was trying to test these Tapo Smart Plugs using the Tapo App on my Mobile Phone, I received a strange email message from noreply@tp-link.com (see below). I'm not sure what this is about. I posted more info on this thread. I'm unsure whether this is related but I remember upon initially setting up the Archer AX6000, I noticed a record labeled as "UNKNOWN" with MAC Address of 00-00-00-00-00-00 as one of the connected devices. But upon utilizing the Address Reservation feature under DHCP Server, plus the Access Control, and IP & MAC Binding, I haven't seen that connection anymore. 

 

Strange Email Message from noreply@tp-link.com:

---

 

  

---

 

We've also noticed recently, we've been receiving an increased number of Phising messages in both Email and SMS format. Some shady folks must want to obtain the login access info of our bank accounts and other online service subscriptions. I actually just received a simple text message (see below) when writing this post. The indicated hyperlink will probably open up a web page that has a script which may steal a mobile phone's important data.

 

Phising SMS message:

 


Considering all of these stuff constantly happening to us daily and probably to a lot more people proves that we need increased security features and an enhanced protection from external digital threats. How can we trust using Internet-Of-Things (IOT) enabled devices if the CONs of using them outweigh the PROs? Right now, there seem to be more hassles than convenience. As ordinary consumers, we don't have a huge budget to afford enterprise-class solutions that some say are needed to totally take advantage of these IOT-enabled devices. We are not asking for the Moon. We just want to be able to continue working from home online at this time of the Pandemic without our Internet access being disturbed while retaining some measure of peace-of-mind that our privacy is still intact (or what's left of it). 

 

Anyhow, after fiddling around with the Archer AX6000's features. I just recently found out that the login access information for TP-Link products are shared across the Router, Tapo App, and the TP-Link.com website. For example, if you change your password in the website, it will replace all your passwords for your Router as well at the Tapo App installed on your mobile device. But the big glaring issue is: TP-Link DOES NOT use a Multi-Factor Authentication Login Security feature. Not even Two-Factor Authentication (2FA). There are just so many inventive ways someone can do to steal login access information but TP-Link still uses only one kind of protection which is quite ancient by today's standard: "create a stronger password". It might only take one (1) successful intrusion on either a connected device or the TP-Link Website and everything can be lost. I hope TP-Link realizes that this is a HUGE RISK not only for their customers but for their business as well.

 

Wyze Labs, Inc., known for their awesome budget-friendly wireless cameras (Wyze Cam's hardware design based on a Chinese-made Xiaomi camera), have already implemented 2FA I think just this year after a long wait by the community. It's great that it supports Google Authenticator similar to most popular software and sites (e.g. Facebook, Mozilla Firefox, Amazon, etc.). Wyze Labs don't offer Wireless Routers but they do sell Smart Plugs... which does not support 220v. Thus I went with TP-Link for now even if I prefer using only one ecosystem / brand for familiarity and to lessen complexity. If the majority of consumers will also think the same way, it means this industry is a race. Tech companies who can provide a more complete set of secure and competitive solutions at the proper time will achieve the best "harvest". If Wyze Labs was able to use 2FA on a Chinese-designed IP Camera, I'm sure TP-Link can also do it on their products/system.

 

TP-Link, please implement a stronger security login on your online system soon even if it's just Two-Factor Authentication (2FA) for the time being. Thank you.

#1
Options
20 Reply
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2020-10-08 14:47:27
As a user of the older Archer C8 and a RE220, I have kept abreast of the enhancements made to routers and see the trend to web/cloud based control of the router. When it becomes time to upgrade, I will not choose a web/cloud based controlled router unless I can be assured it has the strongest security possible. 2FA is one step in that direction.
#2
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2020-10-08 17:05:42 - last edited 2020-10-08 17:05:58

@RendCycle 

 

Thank you for the thorough information you presented.

 

We have previously informed our developers of feedback regarding two-factor authentication, and we will reference this thread as well.

#3
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2021-02-19 14:50:46
I loved kasaa up until last night where two sets of bulbs turned on at odd hours. I changed my password and began looking for MFA and 2A only to find multiple post dating from 2019 that you still don't support authentication!?!? I'm pleased to see the OP is also a fan of Wyze which use 2A, house well manufactured products at a fraction of the price. I think it's clear your devs don't want future business or are completely arrogant to the concerns users. I'll be definitely switching to Wyze products going forward.
#5
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2021-02-20 23:09:40

I also think this is a massive security threat to omit any form of Two-Step Verification.

Many users will be using weak passwords for the TP-Link cloud login that they use to manage various devices.

Futhermore there seems no way to isolate certain devices on the same network from talking to each other... Deco units/Kasa/tapo devices.

#6
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2021-04-12 15:36:20

@MrLove 

Hi, I have to open some of my network ports to the public internet.

And I can see that there are several external IPs trying to login to my NAS and failed, it is around 500 to 2000 times per days.

I can be at peace of mind knowing that I have 2FA enabled.

 

But my bigger concern is that if the attackers start to brute force or dictionary attack the AX6000 router.

I would not know if they will succeed? And what might happen?

So, please make sure that your Dev team is aware of how important 2FA is nowadays.

And put it in your product firmware roadmap.

Thanks.

#7
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2021-07-12 09:30:23

@RendCycle It's unbelievable that almost a year later MFA still isn't an option.  I just bought a Tapo camera and I'm very disappointed that this fundamental security feature isn't in place. I won't be buying any more devices until it is.  Here's what Microsoft said about MFA 2 years ago:

https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/

#8
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2021-11-03 11:44:50

Just like WTFnoMFA, I am very surprised that the MFA is still not available for our TP-Link devices, especially on sensitive equipment concerning privacy.

Please plan this integration as a priority, because we can't really use your equipment with such a lack of security.

 

 

 

#9
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2022-03-10 10:11:40

  @RendCycle 

My Internet Service Provider's (ISP) WAN IP continually receives a lot of DDOS attacks and Port Scans from malware producers. Recently a hacker team called Deadbolt hacked my NAS and encrypted all data. This was done behind a TP Link "firewall" /Secure Shield. 
Now I have bought a brand new router and I find out that not even this new TP Link router has two factor identification!!!

 

It does not feel safe at all!

 

I definitely need two factor identification. 


How can I do this? Do I have to buy another SAFE router from another brand or does TP Link have a solution?

#10
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2022-03-29 18:48:02

  @KMTP 

 

Two-Factor Authentication (2FA) is a more secure log in method.  But it is mostly used for loging into accounts on publicly accessible sites and services, such as a bank's website or a E-Com retailer.  I am not aware of a manufacturer who has yet included 2FA into a router's log in.  This is because a router's admin page is typically only acessible via local access.  Meaning you would need to be wired or connected to the router's wireless network.  Really the only exception to this is if your router's is configured for remote access or for cloud access.  In these cases 2FA could be helpful but a brute force hack will not prevented as these types of attacks are desinged to break a networks security. 

 

The 2FA we are considering is for logging into services such as the Community and our warranty portal.  I haven't heard any conversations about adding this to routers but I will bring it to the team.  

#11
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2022-03-30 11:18:27

  Hello @Carl 

 

Adding MFA only on the community and warranty portals is not the most important thing in my opinion.


The priority should be to secure publicly accessible TP-Link equipments like security cameras.


I tested 2 TP-Link cameras a while ago and the login method from the outside is a single password actually.
I did not try to brute force on it, but I am almost sure that there is no security like notifications of connection attempts or even 'fail2ban' type blocking on this equipment.


This is not about securing an account on a warranty portal but about compromising the privacy of your customers if such a device were to be compromised.

 

 

Regards,

#12
Options