This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.Under Consideration Two-Factor Authentication (2FA) / Multi-Factor Authentication
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Let me share a recent experience I had just to maybe convince the urgency and importance of having a Multi-Factor Authentication feature, even if it's just Two-Factor Authentication (2FA), for Internet-enabled devices:
I'm an owner of a new TP-Link Archer AX6000 WiFi Router along with a couple of Tapo Smart Plugs.
Archer AX6000, Tapo P105 & 2 x P100:
I had to replace my battered Asus RT-AC68U as the main Router as it has already been showing some issues that cannot be fixed by any hard reset. Even one of our Smart TV suddenly started displaying random Chinese characters on its Youtube App's interface when plugged into the LAN Port of that Router. Anyhow, the RT-AC68U has served us for about 4 years and still continue to do so now as an isolated secondary Router for "R&D" purposes.
Our malware-infected Smart TV:
Aside from this, please know that our Internet Service Provider's (ISP) WAN IP still continually receives a barrage of DDOS attacks and Port Scans. Changing the Modem's configuration to "Bridge" mode and then replacing our old Router with something more modern seems to have temporarily fixed the slowdown and intermittent Internet connection. It looks like using the Archer AX6000, even with the missing DOS Protection feature, has somewhat helped alleviate the problem even if I can't see any attacks now in the router's System Log when compared to what was previously being shown in our ISP's Modem.
Our ISP Modem's Old Log:
Furthermore, when I was trying to test these Tapo Smart Plugs using the Tapo App on my Mobile Phone, I received a strange email message from noreply@tp-link.com (see below). I'm not sure what this is about. I posted more info on this thread. I'm unsure whether this is related but I remember upon initially setting up the Archer AX6000, I noticed a record labeled as "UNKNOWN" with MAC Address of 00-00-00-00-00-00 as one of the connected devices. But upon utilizing the Address Reservation feature under DHCP Server, plus the Access Control, and IP & MAC Binding, I haven't seen that connection anymore.
Strange Email Message from noreply@tp-link.com:
---
---
We've also noticed recently, we've been receiving an increased number of Phising messages in both Email and SMS format. Some shady folks must want to obtain the login access info of our bank accounts and other online service subscriptions. I actually just received a simple text message (see below) when writing this post. The indicated hyperlink will probably open up a web page that has a script which may steal a mobile phone's important data.
Phising SMS message:
Considering all of these stuff constantly happening to us daily and probably to a lot more people proves that we need increased security features and an enhanced protection from external digital threats. How can we trust using Internet-Of-Things (IOT) enabled devices if the CONs of using them outweigh the PROs? Right now, there seem to be more hassles than convenience. As ordinary consumers, we don't have a huge budget to afford enterprise-class solutions that some say are needed to totally take advantage of these IOT-enabled devices. We are not asking for the Moon. We just want to be able to continue working from home online at this time of the Pandemic without our Internet access being disturbed while retaining some measure of peace-of-mind that our privacy is still intact (or what's left of it).
Anyhow, after fiddling around with the Archer AX6000's features. I just recently found out that the login access information for TP-Link products are shared across the Router, Tapo App, and the TP-Link.com website. For example, if you change your password in the website, it will replace all your passwords for your Router as well at the Tapo App installed on your mobile device. But the big glaring issue is: TP-Link DOES NOT use a Multi-Factor Authentication Login Security feature. Not even Two-Factor Authentication (2FA). There are just so many inventive ways someone can do to steal login access information but TP-Link still uses only one kind of protection which is quite ancient by today's standard: "create a stronger password". It might only take one (1) successful intrusion on either a connected device or the TP-Link Website and everything can be lost. I hope TP-Link realizes that this is a HUGE RISK not only for their customers but for their business as well.
Wyze Labs, Inc., known for their awesome budget-friendly wireless cameras (Wyze Cam's hardware design based on a Chinese-made Xiaomi camera), have already implemented 2FA I think just this year after a long wait by the community. It's great that it supports Google Authenticator similar to most popular software and sites (e.g. Facebook, Mozilla Firefox, Amazon, etc.). Wyze Labs don't offer Wireless Routers but they do sell Smart Plugs... which does not support 220v. Thus I went with TP-Link for now even if I prefer using only one ecosystem / brand for familiarity and to lessen complexity. If the majority of consumers will also think the same way, it means this industry is a race. Tech companies who can provide a more complete set of secure and competitive solutions at the proper time will achieve the best "harvest". If Wyze Labs was able to use 2FA on a Chinese-designed IP Camera, I'm sure TP-Link can also do it on their products/system.
TP-Link, please implement a stronger security login on your online system soon even if it's just Two-Factor Authentication (2FA) for the time being. Thank you.
