Implement 2-factor authentication for Cloud dashboard access from WAN

Have a facility where for Dashboard access from outside of the local area network that two factor authentication can be utilised with the code generated Google’s authenticator app.

Each user on the NAS should be able to set their own 2-factor authentication code (2FA) or the device owner to generate a code for another user account on the NAS.

6 Likes

Wow, why didn’t they do it so far!? Great idea…

It makes sense. the LAN is generally more secure then the network that encompass the entire planet and which included the International space station.

So for the NAS’s that allow access to the Dashboard UI, so allow assigning 2-factor a NAS’s account and if the device that is connecting to the dashboard login screen has 2FA enabled and it’s IP address is not within the local area network then a user-name. password and a code from an authenticator app would be required.

You may ask; “What if the authenticator app corrupts and won’t generate the time-based 6 digit code, thus locking user out of an account.” That’s not a problem because all that would be needed is to access the account on the NAS from within the local area network. The 2FA code would then not be needed and the user will be able to disable or reset the account’s 2FA key.

Now, the question is how does one get a stupid amount of votes for this idea for WD to take notice of this idea and apply this to a future firmware update?

Anyone got any suggestions?

1 Like

Status: Acknowledged

2 Likes

Hi Hamlet,

What does this status mean? Does it mean that it’s in the list of stuff to be implemented on release x or something? Or rather something like it was just added to “the things community wants”, etc.?

Thank you.

I’m hoping it would get implemented. Especially that Western Digital has stated on more than one occasion the the security is high on the company’s list of priorities. With the dashboard UI on some NAS’s can be made available to the Internet for the purposes of remote management, it would be very prudent and common sense to to implement 2FA so to access the UI, there would be a need for a user-name, a password and a 2FA code.

Actuallly, there should also be an option to disable an account to be accessed from the WAN side of the network, but that’s not implemented.

There is a lot more that can be done to secure a WD NAS from unauthorised intrusion.

1 Like

I agree that there should be an option on the dashboard to restrict WAN access. I like the My Cloud app on App Store but if I connect to my EX2100 with it, then the EX2100 opens WAN cloud access as well. All the time I use (and intend to use) My Cloud app is within LAN.

They could also implement IP based authentications, like the requester must be within 192.168.1.x (and this could be editable) to access data.

There is such an option. It’s just that there should be a 2FA option for any accesses to the NAS’s UI from outside the local area network (LAN).

Really? Where do you set it?

2FA is not yet available on any Western digital NASs and services.

Looking forward for this feature, all access to WD cloud services should include 2FA as an option. a single user/pwd is very easy to break nowadays

They should have 2FA as an option to enable for users. Google have a great system, 2FA for your account but you can make exceptions for external connections to your account that do not work with 2FA.

I don’t want to use the myvloud.com web access to files because of this. I feel that a username and password is not good enough,

Hi all,

WD listens to their customers… but not actively I would say. Here you are the answer I got from official support about this strong security on their personal cloud products:

[…] we appreciate your feedback in regards our products, we cannot predict the release of a product of feature, please continue to follow our community for news and updates […]

So that’s it, take it into consideration whenever you asses to buy a WD product vs other vendors, and if you appreciate your privacy, consider twice before enabling your data exposure to the WD cloud.

Oh man… Read this:
https://community.wd.com/t/latest-firmware-still-vulnerable/96743?source_topic_id=198486

And this, particularly Vendor contact timeline:
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt

Fixed few days ago, note the date when it was advised to WD

That should give you some overview of how the WD is concerned with security…

So it’s taken an actual public disclosure of the vulnerability for the fix to be published? Scary. :frowning:

new year 2019 and still, more than TWO YEARS since this feature was requested to WD within several threads and by formal support channels… and NOTHING IMPLEMENTED AT ALL

Not a serious company to buy products if you expect sensitive data to be secured.

Yesterday I suggested 2FA feature to WD technical line via phone and got sad for today, it seems that it suggested years ago. After 2018, most of firmwares have security issues and 2FA will prevent multiple attacks.

I hope they will implement it as soon as possible.

Best.

Hi CnK, yes, it is shocking WD does not take seriously vulnerabilities and securing their products. I was (past tense already) a loyal customer to the brand for 20 years but not anymore. Implementing a 2FA via SMS OTP or Code generator is relatively easy due to 3PP services already providing them ready for consumption and should be affordable for a company like WD… the problem, in my opinion, goes beyond because affects their brand. I was so surprised when I got as official answer from support they do not disclose at all if a feature is or not in their roadmap (I was interested at that time just to confirm if they considered, sine die, the feature in their backlog), that I decided not to trust anymore in the company nor their products. I am a professional of ICT industry, I would never had handle my customers in such a way.