I agree. Even "bad" 2FA (e.g. SMS) is better than nothing in this case. However, I suspect some would complain about needing to give a telephone number to use their new camera.
I think it would be completely reasonable to bundle one of those Bluetooth-based U2F tokens and to require that to be around when you want to access the camera remotely.
To add new tokens to your account, you would have to place them on top of the camera, or something.
This makes the attack described in the article basically impossible, and lets the camera vendor sell you tokens if you have multiple family members that want to log in. A win-win!
To add new tokens to your account, you would have to place them on top of the camera, or something.
This makes the attack described in the article basically impossible, and lets the camera vendor sell you tokens if you have multiple family members that want to log in. A win-win!