Arlo|Smart Home Security|Wireless HD Security Cameras
0 Likes

2nd factor Authentication enforced on ALL joined devices/accounts

As mentioned in the title,

 

2FA is poorly implemented, because if you allow extra accounts to access your system, 2FA is not enforced for them, thus 2FA is partially useless

 

Suppose main account is security concious and enables 2FA with pin/fingerprint, with an alphanumeric key to unlock phone, and an encrypted phone, it does NOTHING against its partner/wife/husband/friend/etc if the other person who has access has a non-encrypted phone, with no pin/pattern/password lock, where the Arlo app ASKS NOTHING out of the allowed secondary account (which the risk profile is much more higher that the primary account profile, which is more security concious).

 

so, for anyone that has to give extra access to the main account, the 2FA security is pointless.

Comments
StephenB
Guru

>>>

so, for anyone that has to give extra access to the main account, the 2FA security is pointless.

>>>

I don't see how 2FA could be made to work in this scenario, since the second account can have it's own cameras (in addition to having granted access to yours) - and might also have been granted access from other accounts.  There is no account hierarchy built in to the feature. 

 

This isn't an implementation flaw on Arlo's part - it's a fundamental misunderstanding on what 2FA is designed to achieve.

 

Two factor authentication provides confirmation to the Arlo Cloud that you are actually the person logging into your account.  It accomplishes that by requiring a confirmation response from a device that you possess before it allows the log on to complete.  The granted account can also use 2FA for the same purpose - to allow the Arlo Cloud to establish that the person logging into the granted account is the account holder.

 

It isn't (and can't) be used to allow you to confirm the identity of someone else, and it doesn't provide any assurance that the device that you (or anyone else) is using to access the Arlo Cloud is secure. 

More information on the purpose of the 2FA mechanism is here:  https://en.wikipedia.org/wiki/Multi-factor_authentication

Chares
Follower
Your example further affirms (at least for me) that it's a design flaw, Multiple logins could be an answer if you whitelist devices as trusted, but brings the problem of providing access logs to show which user/device pair accessed a camera. Arlo hasn't even added a "trusted browser", as most 2FA allowed apps/systems do, so it requires the auth push to be clicked on the phone. (yet again another risk for sure, do you trust the device running the browser?) it's almost the same problem of enabling 2FA in an application, but allowing SAML/OpenID/OAuth to others as an IdP (Identity Provider), which in that case if the tech is not developed/advanced, the IdC (Identity consumer) asking for a login to the IdP will not require the 2FA. Long story short, Arlo rushed 2FA without really considering the implications it has regarding Identity Management and Identity Federation, which makes me wonder if they have the proper skills in their teams.
StephenB
Guru

>>> Your example further affirms (at least for me) that it's a design flaw,

I did revise my initial response, and you might have replied to it before I changed it.

 

Ultimately you want something out of 2FA that the technique can't provide.  2FA isn't about whitelisting devices.  It's only real use is to confirm the identity of someone who has the account credentials.   If I log into a granted account, and you get a request for confirmation when I've done that, then the fundamental problem isn't solved -  because you have no way of knowing that I am really me.  

 

There is a problem here that would be good to solve, but 2FA isn't the solution.  It's also not about Identity Federation, since the goal of that is to allow a single set of credentials to be used by one person across multiple domains.  It doesn't give you any tools to confirm the identity of someone else that you've allowed to access your data.  

 

What you actually seem to want is a domain of your own - including the people you've allowed to access your cameras, the devices they use for that access, and giving you some ability to ensure that the devices they are using meet your security requirements.

 

BTW, I am not commenting on Arlo's implemention (one way or another).  I'm making a broader comment on what multifactor authentication can (and can't) acheive.

 

FWIW, I agree that access logs are needed (and would at least allow you to determine when your data or system was accessed and what credentials were used for that access).

HWC123
Tutor

Just tried 2FA today, I am due to change my 9 cam system in March 2021, it will NOT be with ATLO!