Home Network Community > General Discussion > Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA
< General Discussion

Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA

Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA

Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA
Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA
Thursday - last edited 5 hours ago

I raised this within another thread on the Deco section as a side issues on another problem.  I feel it warrants a proper thread and also some serious attention. 

 

I have a mixed setup of Tapo Cameras and TPLink Deco stations.  I also use this community forum.  I started off with a TPLink account for administering a old router and using the community.  Later I got Tapo cameras which then used the same account.

 

The single ID I have seems to be shared across ALL these areas, automatically, without the ability to seperate them?

 

However there is a security concern I have re this that I feel needs looking at as a matter of urgency,

 

If I use the Tapo or TPLink iOS apps then I need to supply an ID and passsword and approve my iOS device as a trusted one to use it going forward.  

 

I have enabled 2FA for the ID and this is via an in-app approval.

 

HOWEVER, if you log on to this community with the ID and password there is NO 2FA approval AND the forum User Profile allows password changes!

 

The general TPLink website login also does this but does not give the ability to change the password.

 

Given that the ID is shared across the Tapo and TPlink app plus this forum it seems incredibly worrying that if the password was compromised then simply using it to login to the community forum would give the ability to gain control of the ID with NO 2FA.  

 

I appreciate that a new device cannot be approved easily and there is no access to Tapo footage or the Deco system via the internet but its still a serious oversight.

 

It needs to be corrected so ANY login to ANY system using this primary ID is authenticated properly by 2FA.

 

I'd be very interested to know if anyone else share my concerns or has any information to put my mind at ease.

 

Regards

Radar

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA-Solution
5 hours ago - last edited 5 hours ago

Hello @Radar68 

 

Thank you very much for posting on the TP-Link Community. We appreciate and value having security concerns brought to our attention.

 

All TP-Link platforms are linked to a single TP-Link account system. However, you also have the option to create separate cloud accounts for different platforms or apps if you prefer. For instance, you could use one account for your Tapo devices, another for your Deco system, and a third for the Community.

 

Regarding your question about Community account security: the system now supports 2FA. If you click "Forgot Password," a verification email will be sent to your registered email address. The password can only be changed after accessing that email and completing verification. This ensures that only the owner of the email account can modify the password. No one else will be able to modify the login credentials unless you explicitly share access.

 

To further protect your account, we recommend creating a strong password that includes a combination of letters, numbers, and special characters. Please also avoid sharing your password with anyone you do not fully trust.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Introducing AI QoS: Elevate Your Gaming Experience on the Archer GE800 Gaming Router! Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router Archer AX90 New Firmware Added Support for EasyMesh and Ethernet Backhaul If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
Recommended Solution
  1  
  1  
#2
Options
3 Reply
Re:Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA-Solution
5 hours ago - last edited 5 hours ago

Hello @Radar68 

 

Thank you very much for posting on the TP-Link Community. We appreciate and value having security concerns brought to our attention.

 

All TP-Link platforms are linked to a single TP-Link account system. However, you also have the option to create separate cloud accounts for different platforms or apps if you prefer. For instance, you could use one account for your Tapo devices, another for your Deco system, and a third for the Community.

 

Regarding your question about Community account security: the system now supports 2FA. If you click "Forgot Password," a verification email will be sent to your registered email address. The password can only be changed after accessing that email and completing verification. This ensures that only the owner of the email account can modify the password. No one else will be able to modify the login credentials unless you explicitly share access.

 

To further protect your account, we recommend creating a strong password that includes a combination of letters, numbers, and special characters. Please also avoid sharing your password with anyone you do not fully trust.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Introducing AI QoS: Elevate Your Gaming Experience on the Archer GE800 Gaming Router! Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router Archer AX90 New Firmware Added Support for EasyMesh and Ethernet Backhaul If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
Recommended Solution
  1  
  1  
#2
Options
Re:Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA
4 hours ago - last edited 4 hours ago

  @Kevin_Z 

 

Thank you for the reply. 
 

I am aware that separate accounts can be used but that's a little late for those of us who use a single account. 
 

I started with a TPLink router and when I brought my Tapo cameras online and joined the forums I was advised to use my existing account. Which I did and I now find myself in this position. 
 

Also the 2FA to which you refer is not authentication. It's standard practice for forgotten password.
 

What I'm talking about is 2FA for logins. If my account password were compromised anyone could simply login to the support community forum with that password and change the password. This gain control of my account and thus my Deco and Tapo camera account. 
 

It is simply unacceptable that the community forum allows logins without 2FA when it's enabled in the account and worse than that it then allows the password to be changed with no checks whatsoever. The first you'd be aware someone has access to the account and changed the password is when the email arrives saying the password has been changed.

 

Why bother with 2FA in the apps along with device approval when simply using the forum login bypasses all that if the password is compromised. 
 

You have to implement proper 2FA at the community forum login for those of us using a single account. OK it takes the password being compromised to compromise the account but the purpose of 2FA is to make this situation irrelevant. Get the password but 2FA stops things from there. 
 

Please escalate this. It's vitally important. 
 

Also if there is a way to separate the forum account from the Deco and Tapo login then please advise. At least that would mitigate the problem. Unless of course one account gives you access across all systems regardless of whether you want tomor not. 

  0  
  0  
#3
Options
Re:Security Concern - TPLink / Tapo/ Community Forum Logins & 2FA
4 hours ago

  @Kevin_Z 

UPDATE

 

I now notice that the change password option has changed on the community forum when you are logged in and it now emails a reset link. Like you're referring to in the forgotten password area. 
 

This minimises a compromised system having a password reset but you must implement 2FA at LOGIN as well. 
 

Regards 

Radar

  0  
  0  
#4
Options

Information

Helpful: 0

Views: 67

Replies: 3

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.