Authentication

This Document applies to Qb2 produced with the Firmware version v2.0 and later.
Qb2 produced and shipped with an earlier Firmware version have to be updated to minimum Firmware version v2.0 or later. See Advanced section on how to activate authentication.

Access to Blickfeld Qb2 is restricted by default. The web interface & any other interface provided (e.g.gRPC-API) require authentication.

Factory credentials

Each Qb2 receives unique credentials from the factory. The information required for the first operation is printed on the Qb2 label, located at the bottom of the housing.

Figure 1. Example device label containing serial number (S/N) & initial password (PW)

The relevant information in this example is:

Device serial number (S/N), set to ABC123XYZ.
Initial password (PW), set to password1234.

If the Qb2 label is inaccessible or missing see Advanced section for further information.

Initial login

After connecting power and network to the device the web-interface can be accessed. Please take note of the Qb2 default network setting and make sure, the device is obtaining a valid IP-Address in the network.

The web interface of Qb2 is only accessible via a TLS-secured connection (https and port 443). Each Qb2 presents a unique certificate in order to establish the encrypted connection. This certificate is bound to the serial number and is signed by Blickfeld GmbH private certificate authority (CA). Browsers will display an error message (NET::ERR_CERT_AUTHORITY_INVALID) because the issuer of the certificate (Blickfeld GmbH) is not trusted by default.

Click to see how to manually trust the Qb2 certificate

Browser displays NET::ERR_CERT_AUTHORITY_INVALID error message
Click on Advanced.
Click on Proceed to qb2-ABC123XYZ (unsafe).

Although the proceed action is marked as unsafe the resulting connection between the browser and Qb2 is encrypted & authenticated after this manual acknowledgement.

For this example we assume the default network configuration. This means, an address was assigned to the Qb2 via DHCP and it is reachable via the hostname https://qb2-ABC123XYZ.local/ based on the serial number ABC123XYZ found in the factory credentials.

Navigate to the Qb2 hostname in your web-browser
- Hostname / URL: https://qb2-ABC123XYZ.local/
  
  Figure 2. Login screen for qb2-ABC123XYZ
Enter the initial Qb2 factory credentials
- Password: password1234 (can be found in the Factory credentials).
  
  Figure 3. Enter factory device credentials
Click on Sign In to navigate to the Qb2 Dashboard.

Figure 4. Qb2 dashboard after successful login

Your Qb2 is now ready for the first operation.

Next steps

See how to change the network-settings and enable accessing Qb2 via Wifi.
Learn how to configure accessing Qb2 via account settings and user management.

Advanced

If you have trouble following the regular instructions, here are some additional advanced resources.

My Qb2 is running a firmware older than v2.0 and does not prompt for login

The user-authentication feature will only be available starting from firmware version v2.0. If the Qb2 is running an older version please update to the latest available version. You can find ready to use installation-bundles on the Blickfeld Qb2 release page.

You can try to manually enable authentication:

Instead of opening the base-URL of the Qb2 navigate the the full login-URL:
- Hostname / URL: https://qb2-ABC123XYZ.local/cube/login/
Continue with entering credentials as described in the Initial login section

We strongly advise you to always run the latest available firmware on every device. You can find ready-to-install release-bundles on the Blickfeld Qb2 release page.

Having trouble retrieving the factory credentials for the current device?

In addition to the device label the factory credentials can be found in more places.

If information about the Qb2 is unclear or lost please contact Blickfeld Customer Service.

The serial number can be found as part of the packaging label on the shipment box.

Figure 5. Serial number (S/N) and QR-code on packaging label
The QR-code contains the serial number and the initial admin password. The information is stored as text.

Figure 6. QR-code containing serial number and initial password (S/N:PW)

Most camera-apps on mobile devices only show hyperlinks (URL) or contacts (vCard) by default. To read the QR-code please find an App which supports decoding plain text from QR-codes.

The device URL containing the serial number (e.g. https://qb2-ABC123XYZ.local/) is not accessible

If allowed, Qb2 announces its presence via Multicast DNS (mDNS). mDNS needs to be supported by the network-configuration and your local operating system. By attaching the .local suffix to the URL we can force the browser to also try finding Qb2 through the mDNS-table cached by the local operating system.

Depending on your network’s DHCP- and DNS-configuration the hostname might not be announced. Clients (e.g. your browser) will then fail to resolve the underlying IP-address of the Qb2.

Here are things to try in this situation:

Replace the hostname with an IP-address
- Find the IP-address of the Qb2 from the network routing-table or using the arp and ping command (e.g. finding 192.168.1.42)
- In the Qb2 URL replace qb2-ABC123XYZ.local with the Qb2 IP-address 192.168.1.42
- In your browser navigate to https://192.168.1.42/
- Continue with step 2 of the initial login.
When accessing Qb2 via the Fallback-IP
- In the Qb2 URL replace qb2-ABC123XYZ.local with the Fallback-IP 192.168.26.26
- In your browser navigate to https://192.168.26.26/
- Continue with step 2 of the initial login.

How does authentication for Qb2 work and what features are available?

Authentication allows a curated access to data produced by Qb2. Different access levels ensure that sensitive data is never shown to unauthorized audiences. All features and technical details are described in account settings and user management.