Under Consideration Two-Factor Authentication (2FA) / Multi-Factor Authentication
Under Consideration Two-Factor Authentication (2FA) / Multi-Factor Authentication
Let me share a recent experience I had just to maybe convince the urgency and importance of having a Multi-Factor Authentication feature, even if it's just Two-Factor Authentication (2FA), for Internet-enabled devices:
I'm an owner of a new TP-Link Archer AX6000 WiFi Router along with a couple of Tapo Smart Plugs.
Archer AX6000, Tapo P105 & 2 x P100:
I had to replace my battered Asus RT-AC68U as the main Router as it has already been showing some issues that cannot be fixed by any hard reset. Even one of our Smart TV suddenly started displaying random Chinese characters on its Youtube App's interface when plugged into the LAN Port of that Router. Anyhow, the RT-AC68U has served us for about 4 years and still continue to do so now as an isolated secondary Router for "R&D" purposes.
Our malware-infected Smart TV:
Aside from this, please know that our Internet Service Provider's (ISP) WAN IP still continually receives a barrage of DDOS attacks and Port Scans. Changing the Modem's configuration to "Bridge" mode and then replacing our old Router with something more modern seems to have temporarily fixed the slowdown and intermittent Internet connection. It looks like using the Archer AX6000, even with the missing DOS Protection feature, has somewhat helped alleviate the problem even if I can't see any attacks now in the router's System Log when compared to what was previously being shown in our ISP's Modem.
Our ISP Modem's Old Log:
Furthermore, when I was trying to test these Tapo Smart Plugs using the Tapo App on my Mobile Phone, I received a strange email message from noreply@tp-link.com (see below). I'm not sure what this is about. I posted more info on this thread. I'm unsure whether this is related but I remember upon initially setting up the Archer AX6000, I noticed a record labeled as "UNKNOWN" with MAC Address of 00-00-00-00-00-00 as one of the connected devices. But upon utilizing the Address Reservation feature under DHCP Server, plus the Access Control, and IP & MAC Binding, I haven't seen that connection anymore.
Strange Email Message from noreply@tp-link.com:
---
---
We've also noticed recently, we've been receiving an increased number of Phising messages in both Email and SMS format. Some shady folks must want to obtain the login access info of our bank accounts and other online service subscriptions. I actually just received a simple text message (see below) when writing this post. The indicated hyperlink will probably open up a web page that has a script which may steal a mobile phone's important data.
Phising SMS message:
Considering all of these stuff constantly happening to us daily and probably to a lot more people proves that we need increased security features and an enhanced protection from external digital threats. How can we trust using Internet-Of-Things (IOT) enabled devices if the CONs of using them outweigh the PROs? Right now, there seem to be more hassles than convenience. As ordinary consumers, we don't have a huge budget to afford enterprise-class solutions that some say are needed to totally take advantage of these IOT-enabled devices. We are not asking for the Moon. We just want to be able to continue working from home online at this time of the Pandemic without our Internet access being disturbed while retaining some measure of peace-of-mind that our privacy is still intact (or what's left of it).
Anyhow, after fiddling around with the Archer AX6000's features. I just recently found out that the login access information for TP-Link products are shared across the Router, Tapo App, and the TP-Link.com website. For example, if you change your password in the website, it will replace all your passwords for your Router as well at the Tapo App installed on your mobile device. But the big glaring issue is: TP-Link DOES NOT use a Multi-Factor Authentication Login Security feature. Not even Two-Factor Authentication (2FA). There are just so many inventive ways someone can do to steal login access information but TP-Link still uses only one kind of protection which is quite ancient by today's standard: "create a stronger password". It might only take one (1) successful intrusion on either a connected device or the TP-Link Website and everything can be lost. I hope TP-Link realizes that this is a HUGE RISK not only for their customers but for their business as well.
Wyze Labs, Inc., known for their awesome budget-friendly wireless cameras (Wyze Cam's hardware design based on a Chinese-made Xiaomi camera), have already implemented 2FA I think just this year after a long wait by the community. It's great that it supports Google Authenticator similar to most popular software and sites (e.g. Facebook, Mozilla Firefox, Amazon, etc.). Wyze Labs don't offer Wireless Routers but they do sell Smart Plugs... which does not support 220v. Thus I went with TP-Link for now even if I prefer using only one ecosystem / brand for familiarity and to lessen complexity. If the majority of consumers will also think the same way, it means this industry is a race. Tech companies who can provide a more complete set of secure and competitive solutions at the proper time will achieve the best "harvest". If Wyze Labs was able to use 2FA on a Chinese-designed IP Camera, I'm sure TP-Link can also do it on their products/system.
TP-Link, please implement a stronger security login on your online system soon even if it's just Two-Factor Authentication (2FA) for the time being. Thank you.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Those were mentioned as examples. We are considering it for services. Apps like Kasa, Tapo, Tether, or Deco all use the same TP-Link IDs to log in. If we are to secure the service itself through 2FA these would also be affected.
- Copy Link
- Report Inappropriate Content
Ok, great. That's good news.
Do we have an approximation of when the MFA deployment will take place ?
Regards,
- Copy Link
- Report Inappropriate Content
No unfortunetly not. Its right now in the discussion phase as far as I know. But as soon as its confrimed and we have the date I will be happy to make an Official Annoucement here on the community.
- Copy Link
- Report Inappropriate Content
Hi @Carl
I really surprised to read your feedback.
couple of things worth mentioning:
- As you all router manufacturers turn on cloud based access, there is no concept of logging into 'wired' local network anymore. And cloud always brings breach of security and privacy.
- I have used 3 other router system for my home : Eero, Orbi and Google WiFi. Every single one of them implements some sort of MFA implementation. These days This is a de facto expectation like for instance https.
- When u gain access to the TPLink router, you can view/change my wifi password and gain access if you are near my house, gain info on my mac address, disrupt my network etc. How can this be not of security concern by a company like TPLink?
I really like the simplicity and cost of the deco products but cannot simply accept a NON MFA login, and will this resort to other. Really a shame.
- Copy Link
- Report Inappropriate Content
I couldn't agree more that absence of MFA to TP-Link account is a giant security risk. Once a hacker gains access to the account, it's complete access to the router (however long the password to the latter is). Incredible that TP-Link has still not fixed this problem!
- Copy Link
- Report Inappropriate Content
Can't believe that no form of MFA is available for the TP-Link ID.
This is obviously a huge security risk.
Full admin access on network appliances over a singular password is incredibly bad security design.
Please at least implement 2FA, preferably passkeys, like the rest of the world.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
We need MFA or even better passkeys which Google and others are switching over right now.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 23
Views: 8760
Replies: 20