VMSes Adding 2 Factor Authentication (2FA)

By: IPVM Team, Published on Feb 01, 2017

2 Factor Authentication (2FA) support is growing across the Internet to improve the security of critical web services. For example, banks frequently use 2FA to mitigate against a user's password being stolen / hacked.

Now, VMS manufacturers are starting to add two factor authentication (2FA) support to their products.

In this report we outline how 2FA works, what problems it solves, who is using it (including BCD, Eagle Eye, Genetec, Milestone, OpenEye) and what vulnerabilities it still leaves open.

Two Factor Authentication Overview

Two factor authentication (sometimes also called two step verification) uses two components to verify a users identity. The first component is typically a traditional password, and the second component is a code or PIN that is only usable 1 time, or for a short duration of time.

The code for the second factor is often delivered via SMS or email to the accounts registered to the user when they are trying to login. A standard approach is for the user to enter their username/password, and then be presented with a set of options for where they would like the 1-time code to be delivered. In some cases the special code is generated by an app like Authy.

No matter how the code is received by the user, the key components are that the code is only valid for a short duration of time, and typically only for a single login. This reduces the chance that stolen passwords can be used to login to user accounts.

The primary downside to requiring 2FA is additional burden on the user when logging in, though this is typically minimal unless the user is suddenly without access to their phone, email account, or method used to receive the 1-time code.

VMSes Supporting 2FA

Currently, the following companies support some form of 2FA login, generally in their latest releases only:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

  • EagleEye - First login on unknown or untrusted device requires 2FA, code delivered via email or SMS.
  • Genetec Stratocast - uses Google, Microsoft or Yahoo logins, which can be independently set for 2FA.
  • Milestone Corporate / Expert - Every login requires 2FA when enabled, code delivered via email or SMS, customer must configure SMS gateway.
  • OpenEye - Every login requires 2FA when enabled, code delivered via SMS.

Additionally, server builder BCDVideo has added 2FA support [link no longer available] for an admin app on their servers, this does not add 2FA to hosted VMSes, but prevents remote login to the server control panel without the two-step process.

Problems Solved By 2FA For VMSes

2FA primarily prevents users from sharing passwords, or using stolen passwords to login to another persons account. It also prevents hackers that retrieve a list of username/password combinations from a database dump or similar from using those credentials to masquerade as a valid user and login to the server. It can be particularly useful for accounts that have admin-level, or other advanced privileges, to prevent unauthorized use of those accounts.

What 2FA Does Not Solve

Two factor authentication will not prevent the kinds of exploits that have been common in security devices recently - attacks leveraging weaknesses in the software itself to gain access to backdoors, consoles, command prompts, etc. A server with 2FA login requirements, that has an exploitable script as part of a web/mobile gateway would still be vulnerable to hack attempts.

More Applicable To VMSes Than Cameras

While there is nothing technically preventing a 2FA implementation on a camera or similar device, it is typically only implemented on servers or devices that humans regularly login to directly. Implementing 2FA on a camera would also mean that the VMS would need some way to respond to the prompts for the second factor authentication, which would make setup and administration cumbersome.

Good Move For Industry

Though 2FA does not make a VMS secure from all forms of remote exploit, it can prevent account misuse and prevent malicious users from attempting to access admin accounts to change settings, delete bookmarks, or perform other unauthorized functions. Banks, and even email providers like Google and Yahoo routinely offer the option to use 2FA verification, and given the sensitivity of some VMS uses, it is a good ides for manufacturers to offer users the ability to increase security around user verification.

Interest In 2FA?

7 reports cite this report:

Verkada Cloud VMS/Cameras Tested on May 02, 2019
Verkada is arguably the most ambitious video surveillance startup in many...
Cisco Meraki Cloud VMS/Cameras Tested on Feb 13, 2019
Cisco Meraki says their cameras "bring Meraki magic to the enterprise video...
Eagle Eye Networks Cloud VMS Tested on Jul 26, 2018
Eagle Eye has become one of the most significant players in the industry in...
Genetec Now Detects Insecure Camera Firmware on Nov 29, 2017
Genetec is heavily emphasizing cyber security and cyber resilience....
Verkada, Silicon Valley VSaaS Startup, Targets Enterprise on Oct 19, 2017
Verkada says they are building an enterprise-class VSaaS offering, calling it...
Surveillance Systems Remote Access Usage Statistics on Oct 11, 2017
Remote access is a major benefit and risk for video surveillance. It is a...
OpenEye Takes Aim At Exacq on Mar 23, 2017
First Milestone targeted Exacq with a takeover offer, and now OpenEye is...
Comments (6) : Members only. Login. or Join.

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Free Online NFPA, IBC, and ADA Codes and Standards 2020 on Sep 03, 2020
Finding applicable codes for security work can be a costly task, with printed...
Dedicated Vs Converged IP Video Networks Statistics 2020 on Sep 10, 2020
Running one's video system on a converged network with other devices can save...
Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020
Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate...
Access Credential Form Factor Tutorial on Feb 10, 2020
Deciding which access control credential to use and distribute, including...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
The Next Hot Fever Detection Trend - $100 Wall-Mounted Units on Jul 06, 2020
The first wave of the booming fever detecting market was $10,000+ cameras,...
FLIR A Series Temperature Screening Cameras Tested on Jun 04, 2020
FLIR is one of the biggest names in thermal and one of the most conservative....
ADI Adds Lockers on Mar 20, 2020
Locker delivery is a growing trend, spurred by Amazon. Now, ADI has added...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an...
Network Cable Usage Statistics 2020 (Cat 5e vs Cat 6 vs Cat 6a) on Sep 02, 2020
Integrators are split between using Cat 5e, 6, and 6a but 2 of them have...
Door Fundamentals For Access Control Guide on Aug 24, 2020
Doors vary greatly in how difficult and costly it is to add electronic access...

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...