Two-Factor Authentication (2FA) / Multi-Factor Authentication

Two-Factor Authentication (2FA) / Multi-Factor Authentication
Two-Factor Authentication (2FA) / Multi-Factor Authentication
2020-10-08 10:45:56 - last edited 2020-10-08 13:33:57
Hardware Version: V1
Firmware Version:

Let me share a recent experience I had just to maybe convince the urgency and importance of having a Multi-Factor Authentication feature, even if it's just Two-Factor Authentication (2FA), for Internet-enabled devices:

I'm an owner of a new TP-Link Archer AX6000 WiFi Router along with a couple of Tapo Smart Plugs.


Archer AX6000, Tapo P105 & 2 x P100:

 

I had to replace my battered Asus RT-AC68U as the main Router as it has already been showing some issues that cannot be fixed by any hard reset. Even one of our Smart TV suddenly started displaying random Chinese characters on its Youtube App's interface when plugged into the LAN Port of that Router. Anyhow, the RT-AC68U has served us for about 4 years and still continue to do so now as an isolated secondary Router for "R&D" purposes.

 

Our malware-infected Smart TV:

 

Aside from this, please know that our Internet Service Provider's (ISP) WAN IP still continually receives a barrage of DDOS attacks and Port Scans. Changing the Modem's configuration to "Bridge" mode and then replacing our old Router with something more modern seems to have temporarily fixed the slowdown and intermittent Internet connection. It looks like using the Archer AX6000, even with the missing DOS Protection feature, has somewhat helped alleviate the problem even if I can't see any attacks now in the router's System Log when compared to what was previously being shown in our ISP's Modem

 

Our ISP Modem's Old Log:

 

Furthermore, when I was trying to test these Tapo Smart Plugs using the Tapo App on my Mobile Phone, I received a strange email message from noreply@tp-link.com (see below). I'm not sure what this is about. I posted more info on this thread. I'm unsure whether this is related but I remember upon initially setting up the Archer AX6000, I noticed a record labeled as "UNKNOWN" with MAC Address of 00-00-00-00-00-00 as one of the connected devices. But upon utilizing the Address Reservation feature under DHCP Server, plus the Access Control, and IP & MAC Binding, I haven't seen that connection anymore. 

 

Strange Email Message from noreply@tp-link.com:

---

 

  

---

 

We've also noticed recently, we've been receiving an increased number of Phising messages in both Email and SMS format. Some shady folks must want to obtain the login access info of our bank accounts and other online service subscriptions. I actually just received a simple text message (see below) when writing this post. The indicated hyperlink will probably open up a web page that has a script which may steal a mobile phone's important data.

 

Phising SMS message:

 


Considering all of these stuff constantly happening to us daily and probably to a lot more people proves that we need increased security features and an enhanced protection from external digital threats. How can we trust using Internet-Of-Things (IOT) enabled devices if the CONs of using them outweigh the PROs? Right now, there seem to be more hassles than convenience. As ordinary consumers, we don't have a huge budget to afford enterprise-class solutions that some say are needed to totally take advantage of these IOT-enabled devices. We are not asking for the Moon. We just want to be able to continue working from home online at this time of the Pandemic without our Internet access being disturbed while retaining some measure of peace-of-mind that our privacy is still intact (or what's left of it). 

 

Anyhow, after fiddling around with the Archer AX6000's features. I just recently found out that the login access information for TP-Link products are shared across the Router, Tapo App, and the TP-Link.com website. For example, if you change your password in the website, it will replace all your passwords for your Router as well at the Tapo App installed on your mobile device. But the big glaring issue is: TP-Link DOES NOT use a Multi-Factor Authentication Login Security feature. Not even Two-Factor Authentication (2FA). There are just so many inventive ways someone can do to steal login access information but TP-Link still uses only one kind of protection which is quite ancient by today's standard: "create a stronger password". It might only take one (1) successful intrusion on either a connected device or the TP-Link Website and everything can be lost. I hope TP-Link realizes that this is a HUGE RISK not only for their customers but for their business as well.

 

Wyze Labs, Inc., known for their awesome budget-friendly wireless cameras (Wyze Cam's hardware design based on a Chinese-made Xiaomi camera), have already implemented 2FA I think just this year after a long wait by the community. It's great that it supports Google Authenticator similar to most popular software and sites (e.g. Facebook, Mozilla Firefox, Amazon, etc.). Wyze Labs don't offer Wireless Routers but they do sell Smart Plugs... which does not support 220v. Thus I went with TP-Link for now even if I prefer using only one ecosystem / brand for familiarity and to lessen complexity. If the majority of consumers will also think the same way, it means this industry is a race. Tech companies who can provide a more complete set of secure and competitive solutions at the proper time will achieve the best "harvest". If Wyze Labs was able to use 2FA on a Chinese-designed IP Camera, I'm sure TP-Link can also do it on their products/system.

 

TP-Link, please implement a stronger security login on your online system soon even if it's just Two-Factor Authentication (2FA) for the time being. Thank you.

7
7
#1
Options
5 Replies
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2020-10-08 14:47:27
As a user of the older Archer C8 and a RE220, I have kept abreast of the enhancements made to routers and see the trend to web/cloud based control of the router. When it becomes time to upgrade, I will not choose a web/cloud based controlled router unless I can be assured it has the strongest security possible. 2FA is one step in that direction.
3
3
#2
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2020-10-08 17:05:42 - last edited 2020-10-08 17:05:58

@RendCycle 

 

Thank you for the thorough information you presented.

 

We have previously informed our developers of feedback regarding two-factor authentication, and we will reference this thread as well.

2
2
#3
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2021-02-19 14:50:46
I loved kasaa up until last night where two sets of bulbs turned on at odd hours. I changed my password and began looking for MFA and 2A only to find multiple post dating from 2019 that you still don't support authentication!?!? I'm pleased to see the OP is also a fan of Wyze which use 2A, house well manufactured products at a fraction of the price. I think it's clear your devs don't want future business or are completely arrogant to the concerns users. I'll be definitely switching to Wyze products going forward.
0
0
#5
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2021-02-20 23:09:40

I also think this is a massive security threat to omit any form of Two-Step Verification.

Many users will be using weak passwords for the TP-Link cloud login that they use to manage various devices.

Futhermore there seems no way to isolate certain devices on the same network from talking to each other... Deco units/Kasa/tapo devices.

2
2
#6
Options
Re:Two-Factor Authentication (2FA) / Multi-Factor Authentication
2021-04-12 15:36:20

@MrLove 

Hi, I have to open some of my network ports to the public internet.

And I can see that there are several external IPs trying to login to my NAS and failed, it is around 500 to 2000 times per days.

I can be at peace of mind knowing that I have 2FA enabled.

 

But my bigger concern is that if the attackers start to brute force or dictionary attack the AX6000 router.

I would not know if they will succeed? And what might happen?

So, please make sure that your Dev team is aware of how important 2FA is nowadays.

And put it in your product firmware roadmap.

Thanks.

2
2
#7
Options