― Criteria: A product has an authentication system that corresponds to the sensitivity of the user data it manages. ―
Indicator
Smart Baby Monitor
Final Results
If a product supports user accounts, it has an authentication system for accessing those accounts.
The baby monitor handset does not support user accounts.
The baby monitor Android app has an authentication system that supports user-created accounts, and requires the creation of such an account for any interaction with that baby monitor.
NA
✔️
If a product is packaged with an account with default credentials, those credentials are unique to the instance of the product.
While the baby monitor handset does require a secured wifi connection, it does not have any other user account or authentication system.
The baby monitor Android app is not packaged with default credentials, instead users must create an account, which includes the creation of a password and the verification of an email address, in order to connect the app to the device.
NA
✔️
If a product has an authentication system, the user must authenticate each time they want to use the product.
The baby monitor handset does not have any user account or authentication system.
The baby monitor Android app does not require logging in each time it connects with the device, even when the app is closed multiple times. When the device restarts, the baby monitor Android app does not force users to reauthenticate unless the user first signs out of the app.
NA
❌
If a product has an authentication system, it requires at least two pieces of information to authenticate users.
The baby monitor handset does not have an authentication system.
The monitor app requires an email address, which it verifies by sending a unique confirmation link that the user must visit in order to activate the account, as well as a password.
NA
✔️
For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication.
Note: This device fails this indicator, as the indicator seeks only to clarify if multi-factor authentication is available to users, and in this case, it is not. However, authentication traditionally requires “something the user has and something the user knows.” That is, a physical object, say a Debit/ATM card or a house key, and something that is remembered, like a PIN or the location of one’s house. Access to information from the handset does require both physical possession as well as proximity to the same secured wifi network that the baby monitor camera is on (along with a password for that network). And while the handset does handle sensitive data, the inability to record information through, or store data on, the device combined with network-level safeguards may serve to minimize the types of risks that (multi-factor) authentication seeks to address to the point of near equivalency.
The baby monitor handset handles sensitive data and does not have an authentication system.
The baby monitor app handles sensitive data, including data collected through use of the device’s remote camera and bi-directional microphone. The baby monitor app does not offer any form of multi-factor authentication.
❌
❌
For products that handle sufficiently sensitive data, users can choose to use multi-factor authentication whenever the product is activated, or when a device is unrecognized.
The baby monitor handset handles sensitive data and the handset does not have an authentication system.
The baby monitor app handles sensitive data, including data collected through use of the device’s remote camera and bi-directional microphone. The baby monitor app does not offer any form of multi-factor authentication.
❌
❌
If the product uses a password/passphrase for authentication, it requires that passwords are at least 8 characters long.
The baby monitor handset does not have an authentication system.
The baby monitor Android app requires that passwords must be at least eight characters long.
NA
✔️
If the product uses a password/passphrase for authentication, the password/passphrase may be at least 20 characters long.
The baby monitor handset does not have an authentication system.
The baby monitor Android app states that it allows passwords to be up to 20 characters in length, but does not limit input at 20 characters, or fail to validate passwords longer than 20 characters.
NA
✔️
If the product uses a password/passphrase for authentication, it requires that passwords are reasonably complex.
The baby monitor handset does not have an authentication system.
The baby monitor Android app requires that a password be a minimum of eight characters, and contain at least one letter of each case, and a number.
NA
✔️
If the product uses a password/passphrase for authentication, it allows all reasonable characters as input.
The baby monitor handset does not have an authentication system.
The monitor Android app allowed all of the symbols on the main two rows of symbols on the default Android English keyboard.
NA
✔️
If the product uses a password/passphrase for authentication, it is compatible with popular password managers.
The baby monitor handset does not have an authentication system.
The baby monitor Android app allowed for the use of a password manager, as well as simple copy/paste for passwords.
NA
✔️
― Criteria: A product that has an authentication system resists attempts to break it. ―
Indicator
Smart Baby Monitor
Final Results
The product allows users to be notified via an out-of-band medium when account security settings are changed.
The baby monitor handset does not have an authentication system or notification mechanism.
The baby monitor Android app does not allow for any type of out-of-band communication, such as by email or text message, to alert users of changes to security settings.
NA
❌
To change a password/passphrase/pin, a user must enter the previous password/passphrase/pin, or have access to a secondary system that is used to reset it.
The baby monitor handset does not have an authentication mechanism.
When a user is logged in to the baby monitor Android app, they are required to enter the old password in order to change the password.
When a user is not logged in to the baby monitor Android app, they are required to have access to the email address associated with the account in order to change the password.
NA
✔️
✔️
The product notifies users when account security settings have changed.
The baby monitor handset does not have an authentication system.
The monitor Android app does not notify users when account security settings have changed.
NA
❌
If the product has an authentication system, it also has a system to prevent brute-force/dictionary attacks.
The baby monitor handset does not have an authentication system.
After 15 failed login attempts, the baby monitor Android app did not limit logins in any way, including common methods such as enforcing a timeout or locking the account.