VMSes Adding 2 Factor Authentication (2FA)

By: IPVM Team, Published on Feb 01, 2017

2 Factor Authentication (2FA) support is growing across the Internet to improve the security of critical web services. For example, banks frequently use 2FA to mitigate against a user's password being stolen / hacked.

Now, VMS manufacturers are starting to add two factor authentication (2FA) support to their products.

In this report we outline how 2FA works, what problems it solves, who is using it (including BCD, Eagle Eye, Genetec, Milestone, OpenEye) and what vulnerabilities it still leaves open.

Two Factor Authentication Overview

Two factor authentication (sometimes also called two step verification) uses two components to verify a users identity. The first component is typically a traditional password, and the second component is a code or PIN that is only usable 1 time, or for a short duration of time.

The code for the second factor is often delivered via SMS or email to the accounts registered to the user when they are trying to login. A standard approach is for the user to enter their username/password, and then be presented with a set of options for where they would like the 1-time code to be delivered. In some cases the special code is generated by an app like Authy.

No matter how the code is received by the user, the key components are that the code is only valid for a short duration of time, and typically only for a single login. This reduces the chance that stolen passwords can be used to login to user accounts.

The primary downside to requiring 2FA is additional burden on the user when logging in, though this is typically minimal unless the user is suddenly without access to their phone, email account, or method used to receive the 1-time code.

VMSes Supporting 2FA

Currently, the following companies support some form of 2FA login, generally in their latest releases only:

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

  • EagleEye - First login on unknown or untrusted device requires 2FA, code delivered via email or SMS.
  • Genetec Stratocast - uses Google, Microsoft or Yahoo logins, which can be independently set for 2FA.
  • Milestone Corporate / Expert - Every login requires 2FA when enabled, code delivered via email or SMS, customer must configure SMS gateway.
  • OpenEye - Every login requires 2FA when enabled, code delivered via SMS.

Additionally, server builder BCDVideo has added 2FA support for an admin app on their servers, this does not add 2FA to hosted VMSes, but prevents remote login to the server control panel without the two-step process.

Problems Solved By 2FA For VMSes

2FA primarily prevents users from sharing passwords, or using stolen passwords to login to another persons account. It also prevents hackers that retrieve a list of username/password combinations from a database dump or similar from using those credentials to masquerade as a valid user and login to the server. It can be particularly useful for accounts that have admin-level, or other advanced privileges, to prevent unauthorized use of those accounts.

What 2FA Does Not Solve

Two factor authentication will not prevent the kinds of exploits that have been common in security devices recently - attacks leveraging weaknesses in the software itself to gain access to backdoors, consoles, command prompts, etc. A server with 2FA login requirements, that has an exploitable script as part of a web/mobile gateway would still be vulnerable to hack attempts.

More Applicable To VMSes Than Cameras

While there is nothing technically preventing a 2FA implementation on a camera or similar device, it is typically only implemented on servers or devices that humans regularly login to directly. Implementing 2FA on a camera would also mean that the VMS would need some way to respond to the prompts for the second factor authentication, which would make setup and administration cumbersome.

Good Move For Industry

Though 2FA does not make a VMS secure from all forms of remote exploit, it can prevent account misuse and prevent malicious users from attempting to access admin accounts to change settings, delete bookmarks, or perform other unauthorized functions. Banks, and even email providers like Google and Yahoo routinely offer the option to use 2FA verification, and given the sensitivity of some VMS uses, it is a good ides for manufacturers to offer users the ability to increase security around user verification.

Interest In 2FA?

7 reports cite this report:

Verkada Cloud VMS/Cameras Tested on May 02, 2019
Verkada is arguably the most ambitious video surveillance startup in many years. The company is developing their own cameras, their own VMS, their...
Cisco Meraki Cloud VMS/Cameras Tested on Feb 13, 2019
Cisco Meraki says their cameras "bring Meraki magic to the enterprise video security world". According to Meraki, their magic is their management...
Eagle Eye Networks Cloud VMS Tested on Jul 26, 2018
Eagle Eye has become one of the most significant players in the industry in the past few years: Eagle Eye's Owner Acquired Brivo Eagle Eye...
Genetec Now Detects Insecure Camera Firmware on Nov 29, 2017
Genetec is heavily emphasizing cyber security and cyber resilience. From initiatives like CHAVE to 2 Factor Authentication to Expelling...
Verkada, Silicon Valley VSaaS Startup, Targets Enterprise on Oct 19, 2017
Verkada says they are building an enterprise-class VSaaS offering, calling it "The new platform for video security". This is a departure from the...
Surveillance Systems Remote Access Usage Statistics on Oct 11, 2017
Remote access is a major benefit and risk for video surveillance. It is a benefit because it allows users to manage security or review...
OpenEye Takes Aim At Exacq on Mar 23, 2017
First Milestone targeted Exacq with a takeover offer, and now OpenEye is gunning for them with an offer to swap out Exacq for their cloud-managed...
Comments (6) : PRO Members only. Login. or Join.

Related Reports on VMS

Sighthound Transforms Into Enterprise AI Provider on Jun 14, 2019
Sighthound is now rapidly expanding its R&D team, building an enterprise AI service. This may come as a surprise given their origins 6 years...
Embattled $400 Million China Funded Philippines Surveillance System Proceeds on Jun 13, 2019
An embattled 12,000 camera surveillance system project that will cost ~$400 million will proceed.  The project contract was awarded, had its...
Carnegie Mellon AI Startup Zensors Profile on Jun 11, 2019
Zensors is a startup formed by Carnegie Mellon graduates from a Carnegie Mellon research project, offering customized models per camera that they...
Avigilon 32MP and 12MP H4 Multisensor Cameras Tested on Jun 11, 2019
Avigilon has released their H4 Multi-Sensor line of cameras claiming "broad scene coverage and high image detail" We bought and tested the...
Directory of 30+ VSaaS / Cloud Video Surveillance Providers on Jun 07, 2019
This directory provides a list of VSaaS / cloud video surveillance providers to help you see and research what options are available. 2019 State...
OpenALPR Doubles Prices on Jun 06, 2019
There is no 'race to the bottom' in cloud / AI video surveillance. In May, Verkada increased their prices. Now, OpenALPR is doing the same with a...
"New" Arecont Fixes Failures "Without A Fight" on Jun 05, 2019
The "old" Arecont was infamous not only for its camera failures but for making their "partners" fight to get them fixed. IPVM drew the ire of...
Startup Rhombus Systems Says Twice the Features, Half the Price of Verkada on Jun 04, 2019
Closed cloud systems may be the fastest growing segment of video surveillance with Meraki and Verkada. Now another California company is joining...
Smart CODEC Usage Statistics 2019 on Jun 03, 2019
Smart codecs are now nearly a standard feature in IP cameras, but our statistics show integrator adoption has not increased at the same rate. In...
Panasonic Sells Off / Spins Out Security Business on Jun 02, 2019
Panasonic has sold off its security systems business to a private equity firm, after suffering years of challenges. The new company, which will...

Most Recent Industry Reports

Sighthound Transforms Into Enterprise AI Provider on Jun 14, 2019
Sighthound is now rapidly expanding its R&D team, building an enterprise AI service. This may come as a surprise given their origins 6 years...
ADT Eliminating Acquired Brands, Unifying Under 'Commercial' Brand on Jun 14, 2019
ADT is eliminating the brands of the many integrators it has acquired over the past few years, including Red Hawk, Aronson Security Group (ASG),...
NSA Director Keynoting Dahua and Hikvision Sponsored Cybersecurity Conference on Jun 13, 2019
The technical director for the NSA’s Cybersecurity Threat Operations Center will be keynoting a physical security cybersecurity conference that is...
Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019
California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...
Embattled $400 Million China Funded Philippines Surveillance System Proceeds on Jun 13, 2019
An embattled 12,000 camera surveillance system project that will cost ~$400 million will proceed.  The project contract was awarded, had its...
False Verkada 'Unrivaled' Low Light Performance Claim Removed on Jun 12, 2019
Verkada falsely claimed that it delivered 'UNRIVALED LOW LIGHT PERFORMANCE' until IPVM questioned. In fact, Verkada's low light performance is...
Manufacturer Favorability Guide 2019 on Jun 12, 2019
The 259 page PDF guide may be downloaded inside by all IPVM members. It includes our manufacturer favorability rankings and individual...
Camera Course Summer 2019 - Register Now on Jun 12, 2019
Register for the Summer 2019 Camera Course.  This is the only independent surveillance camera course, based on in-depth product and technology...
Favorite Wireless Manufacturers 2019 on Jun 12, 2019
Many wireless options exist for video surveillance but how are integrator's overall favorites? 170 integrators answered the question: What is...
Carnegie Mellon AI Startup Zensors Profile on Jun 11, 2019
Zensors is a startup formed by Carnegie Mellon graduates from a Carnegie Mellon research project, offering customized models per camera that they...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact