Blink's short-sighted and poorly considered 2-Factor Authentication Approach (and how to fix it)

Increased security. Wonderful. I use 2-Factor authentication in almost everything that supports it, and it’s a great to see that the Blink team is thinking about these things.

Now we find out about the implementation: You are required to put in a phone number for SMS or voice calls. People are accustomed to this, but it’s a terrible and poorly-considered choice for this application:

• What about households with multiple people accessing the same Blink system? The account is bound to just 1 phone number, so what happens when some other person needs to do 2FA?
• What happens when I’m traveling and have a foreign SIM in my phone? Or let’s say I’m in a country where my phone doesn’t work on their network? Sooner or later, I’ll need to login or set up Blink again on my phone for one reason or other.
• The use of phone-based 2FA just opens people up to SIM-swap fraud. Criminals can scam some worker at the phone company, to steal your phone number, and then they will have access to your Blink 2FA codes. Good luck preventing that one.

HOW TO FIX IT - Blink should have thought this through better, and also enabled an app-based solution:
The 2-Factor Authentication should use the same app-based approach enabled by Google, Amazon, PayPal, Discord, DropBox and many others: The TOTP apps such as Authy, Google Authenticator that securely generate codes on your phone, without the need for a phone signal, let alone working phone service.

Dear Blink Team, please re-consider your approach to 2FA. The current setup is just a mess of problems, complications and security holes waiting to happen. Please let responsible users take control of their own security. As a general practice, you should never link anything important to a phone number, since you are just handing over the keys to network operators who are, at best, bumbling and bureaucratic, and at worst, incompetent.

Thanks for reading.

I think using an app like Google Authenticator is a great idea but what I believe they should offer multiple options so it can accommodate anyone.

[quote=“William834, post:1, topic:15038”]

• What about households with multiple people accessing the same Blink system?
• What happens when I’m traveling and have a foreign SIM in my phone?
• The use of phone-based 2FA just opens people up to [SIM-swap fraud]

What % of Blink owners fall under these conditions? Very few. The multiple people thing is not how or what Blink was designed. Remember, it’s cheap for a reason.

I’m on my 4th winter using Blink original XT-1 outdoor cameras. Friggin things still keep doing their thing. It’s just me on the account. No smart home devices. No dual channel wifi router. Keeps on working as it’s just the basics. This is how Blink was designed, priced and marketed to work. Target market was and still is the cheapskate buyers that purchase on low low price with minimal operating costs.

The BIGGEST BY FAR complainers and critics on this forum are the ones that want more, but don’t want to pay for it. The ones that are technogeeks and point out the shortcomings of the system. The ones that say how critical their security situation is. Yet ALL of them own Blink. Why? For the same reason people save big money at Menards, look for the blue light special at K-Mart, and love Walmart for low prices everyday. They bought on price.

Could Blink be better with additional features and benefits? Hell yes. But now the price tag goes up and the Blink customer market wont pay up. Look at all the people crying about paid subscription for cloud storage. Price goes up people say F it and buy Ring or a different brand. Amazon knows this so they keep Blink kinda stupid on purpose. Ring is Amazon’s cash cow. Blink is the red headed stepchild that’s just along for the ride.

“What happens when I’m traveling and have a foreign SIM in my phone?”

This right here is the deal breaker for me. At least have more than one option ie. email.

That’s a poor answer. I would say husbands and wives both have access to the security system in their home and have the app installed on their phones.

Don’t whine to me, I’m a customer like you, not Blink tech support.

That situation is not a problem. Same home = share the pin. Don’t pizz and moan then make excuses for something you didn’t buy or worse yet didn’t do enough homework on. Multiple users with separate logins is what you really want. That isn’t what Blink is.

I’m not whining, why are you so abrasive…whats your problem. Get a life…

Be Agreeable, Even When You Disagree

You may wish to respond to something by disagreeing with it. That’s fine. But, remember to criticize ideas, not people . Please avoid:

• Name-calling.
• Ad hominem attacks.
• Responding to a post’s tone instead of its actual content.
• Knee-jerk contradiction.

Instead, provide reasoned counter-arguments that improve the conversation.

Last time I followed all the rules and regulations was my behind the wheel test as a teenager. I’m betting that was way before you were even born.

and your point is…I’ll take that bet also…

I know when to get off the troll train
Bye

I agree. What if people don’t have a cell phone? If people have a landline, it does not travel with them.
How can people do the authentication if they are out of the home and do not have access to their landline? Then, they cannot authenticate? Is this a “one time” authentication, or every time you use the Blink app?

Just to let you know, Blink support can change it over to e-mail verification instead of phone.

Also, you could use a VoIP number for the verification service, which forwards to e-mail. Their 2FA messages are not short SMS, so VoIP services will be fine.

I had it set with e-mail verification.after contacting them about 2FA that wouldn’t work in my situation. Today my wife accesses the account and is asked to put in a phone number. I get a someone has changed your phone number e-mail. Now I have to try to get it changed back.
my situation is I have systems in two countries and at one location there is no cell service.

I appreciate the security of 2FA, but believe that Blink did not consider all of the use cases before forcing this on users. We have Blink cameras installed on my 85 year old Mom’s house that lives 250 miles away from my two brothers and me. We are not allowed to have multiple users input their phone #'s for 2FA. Therefore, if I put in my phone #, then anytime my Mom, or my brothers want to check-in or monitor, then the code will come to me and I will have to send to them in order to get into the app. My mom can no longer click on her app and look at the cameras to see who may be walking around her house. She will no long be able to alarm her system without me being available to give her the code. We can’t use her phone number because if she is trouble, she won’t be able to send us the code for us to get in.
In order to prevent hackers, Blink has also prevented multiple users from monitoring a loved one’s security. This is why we bought the system and now we have constraints that make it impractical. Management should have considered that the relationship of security systems is not 100% one system to one user, but could often be one system to many users. This seems very short-sighted for a security systems company.
Just to add…using an email address for authentication is more impractical than the phone number/text option. My mom has never, ever used email and does not have an email address. The system is registered under my email address and in order to use that for 2FA, my brothers would have to have credentials to my email address. Handing out my email credentials to access my Mom’s Blink cameras violates my privacy and security.

@ 3Cowboys

I should point out, it doesn’t ask you for the 2FA code every time.
I have my Blink account logged in on 1 phone and 2 tablets.
And then I enabled 2FA using a phone number, and verified the 2FA code on the phone.
The other 2 tablets that were already logged in still worked, without confirming 2FA. The tablets were not logged out, and they did not request 2FA verification, presumably because they were already logged in.

I imagine if you tried to login to the blink account from a new device, it might ask for 2FA. But up to now, I have only needed to enter the 2FA code just one time, and that was for when I enabled it.

I totally agree that having only 1 phone number is a poor approach to 2FA. I have an AirBnb that is managed by a friend. We both need access to the exterior camera.

they just disabled my account, had 2fa with verification via email but now they want phone number for verification. i provided phone number but they never sent code to verify. what a bunch of idiots

Totally broken now. Does anyone still have access to their account/cameras?

Unable to use my camera any longer. Disappointed. Time to move on.