VMSes Adding 2 Factor Authentication (2FA)By: IPVM Team, Published on Feb 01, 2017
2 Factor Authentication (2FA) support is growing across the Internet to improve the security of critical web services. For example, banks frequently use 2FA to mitigate against a user's password being stolen / hacked.
Now, VMS manufacturers are starting to add two factor authentication (2FA) support to their products.
In this report we outline how 2FA works, what problems it solves, who is using it (including BCD, Eagle Eye, Genetec, Milestone, OpenEye) and what vulnerabilities it still leaves open.
Two Factor Authentication Overview
Two factor authentication (sometimes also called two step verification) uses two components to verify a users identity. The first component is typically a traditional password, and the second component is a code or PIN that is only usable 1 time, or for a short duration of time.
The code for the second factor is often delivered via SMS or email to the accounts registered to the user when they are trying to login. A standard approach is for the user to enter their username/password, and then be presented with a set of options for where they would like the 1-time code to be delivered. In some cases the special code is generated by an app like Authy.
No matter how the code is received by the user, the key components are that the code is only valid for a short duration of time, and typically only for a single login. This reduces the chance that stolen passwords can be used to login to user accounts.
The primary downside to requiring 2FA is additional burden on the user when logging in, though this is typically minimal unless the user is suddenly without access to their phone, email account, or method used to receive the 1-time code.
VMSes Supporting 2FA
Currently, the following companies support some form of 2FA login, generally in their latest releases only:
- EagleEye - First login on unknown or untrusted device requires 2FA, code delivered via email or SMS.
- Genetec Stratocast - uses Google, Microsoft or Yahoo logins, which can be independently set for 2FA.
- Milestone Corporate / Expert - Every login requires 2FA when enabled, code delivered via email or SMS, customer must configure SMS gateway.
- OpenEye - Every login requires 2FA when enabled, code delivered via SMS.
Additionally, server builder BCDVideo has added 2FA support [link no longer available] for an admin app on their servers, this does not add 2FA to hosted VMSes, but prevents remote login to the server control panel without the two-step process.
Problems Solved By 2FA For VMSes
2FA primarily prevents users from sharing passwords, or using stolen passwords to login to another persons account. It also prevents hackers that retrieve a list of username/password combinations from a database dump or similar from using those credentials to masquerade as a valid user and login to the server. It can be particularly useful for accounts that have admin-level, or other advanced privileges, to prevent unauthorized use of those accounts.
What 2FA Does Not Solve
Two factor authentication will not prevent the kinds of exploits that have been common in security devices recently - attacks leveraging weaknesses in the software itself to gain access to backdoors, consoles, command prompts, etc. A server with 2FA login requirements, that has an exploitable script as part of a web/mobile gateway would still be vulnerable to hack attempts.
More Applicable To VMSes Than Cameras
While there is nothing technically preventing a 2FA implementation on a camera or similar device, it is typically only implemented on servers or devices that humans regularly login to directly. Implementing 2FA on a camera would also mean that the VMS would need some way to respond to the prompts for the second factor authentication, which would make setup and administration cumbersome.
Good Move For Industry
Though 2FA does not make a VMS secure from all forms of remote exploit, it can prevent account misuse and prevent malicious users from attempting to access admin accounts to change settings, delete bookmarks, or perform other unauthorized functions. Banks, and even email providers like Google and Yahoo routinely offer the option to use 2FA verification, and given the sensitivity of some VMS uses, it is a good ides for manufacturers to offer users the ability to increase security around user verification.
Interest In 2FA?