No, is not. It’s just a good step in the right direction. Hint: you may have the best password in the world, if the site/company where you use it is keeping that password in the clear in the data base your best password ever it’s worth nothing security wise (and believe me it happened to some very big software names, Sony PS whatever for example, to name just one, and it’s still happening).
1 Like
For those not aware, this site will check your email address against a database of big name company data breaches. One of my old Linkedin accounts had been breached, so it is a perfect lesson on why reusing passwords is a bad idea!
1 Like
It’s common for many people to find their LinkedIn, Dropbox and Adobe accounts on there along with a load of accounts that have never existed (some kind of account stuffing). As the domain owner you can get the full list for each of your domains which is very useful.
Two of those 3 large companies who lost all their user accounts did so because admins in their companions re-used passwords from the Dropbox breach and that got hacker’s into LinkedIn and Adobe neither of who used 2FA.
I strongly recommend using 2FA when available, it’s a minor inconvenience compared to the improvement in security.
1 Like
+1 for 2FA, I enable it on every account that has it. Extra security is never a bad thing nowadays!
3 Likes
This is one of the first things that disturb me after get the lifetime pass.
Add a 2FA, Ive got for other pages that I paid less than here for services.
+1
1 Like
I’m reading “+1” posts in this thread. They don’t sway things. If you want to add your vote - click the Vote button at the top of the thread - that’s what counts as a vote…
3 Likes
@Geoff_Coupe , I completely understand your reminder to click the Vote button (which rarely happens).
I have to ask… if members are going to use the Vote button to express their support for an enhancement, and we’re restricted to 5 (6?) total Votes, what number of Votes gets Roon’s attention? Being restricted to 5 total Votes actually keeps me from Voting here. While I agree with the request for 2FA, I have other priorities when to comes to Roon enhancements, and will be removing my Vote. Perhaps some clarification of Roon’s Voting implementation would help (do they ever reset? what interval will they reset? etc…).
Thanks very much.
1 Like
Vote added. Now with the introduction of Roon Arc 2FA and the related vulnerabilities should be top 1 priority.
3 Likes
Absolutely !
It may be harsh to call it irresponsible, but promoting a feature on an otherwise superb product that opens up ports in your router without even offering 2FA or similar, seems unwise
I especially don’t think it’s fair on the myriad home users who lack adequate understanding or interest in all matters related to tech security to make their own, informed decisions
2 Likes
Another vote for extra security.
.sjb
2 Likes
Let’s hear from the devs
Why no 2FA on ARC especially, but also in general?
Yeah, it might be a PITA but so’s having script kiddies guddling around on your network
Being able to fully access to my library, remotely, and without a 2 FA is a reeeeeaaaaaaly bad idea.
Please, consider to add 2FA to better secure the account.
It uses the same auth infrastructure across Roon Labs. There has already been requests for 2FA within Roon Labs accounts. I think this is a duplicate feature request.
The difference is that now, if you account is compromised, everyone can download your entire library remotely (killing your internet connection). Before Roon Arc this was not possible.
The reason behind the feature doesn’t matter. It’s still a duplicate 
I am in total agreement with you! But the other request has more votes so this should be merged.
1 Like
I mean…imo opening an extra port on your home network is a HUGE concern by itself. I don’t really trust their implementation (and more other “home lab” servers’) before proven secure. It could hugely increase the attack surface and potentially be a gateway for hackers to access the rest of your network.
5 Likes
ARC is a significant security risk because it uses UPnP which provides no mechanism for authenticating port forwarding requests
TBH I always assume security minded types turn off UPnP in their routers on Day 1 anyway
Opening and forwarding ANY port from outside to inside your LAN is a security risk, even if done manually, and so the issue becomes for individuals, is the risk worth the benefit?
Personally, and it is only a personal point of view, I think it is an unnecessary risk as I can listen to 4/5ths or more of the music I want to when out and about simply by using myTidal/Qobuz subscriptions directly on my phone. As soon as I am able to get inside my home LAN from outside the perimeter router, then someone else is able to also (at least potentially)
2 Likes
I found one workaround: after setting up Roon ARC successfully (eg. setup the port forwarding and confirm it works as normal), then I turn off port forwarding on router. Yes, Roon Core will complains, however, when I use my VPN to connect back to my network and start Roon ARC on mobile phone, it still works! In the old version, eg. v1.8 I’m not able to play but to browse only.
So for those who is paranoid can try this method.
Not touching this. Not knocking Roon at all, many many people wanted this and they delivered (as they always do). But no ports are getting opened here, nada. I won’t even allow friends access to Plex (there was a well publicized hack last year). Nothing inside my network gets access from outside 