Authentication

This Document applies to Qb devices produced with the Firmware version v2.0 and later.
Qb devices produced and shipped with an earlier Firmware version have to be updated to minimum Firmware version v2.0 or later. See Advanced section on how to activate authentication.

Access to Blickfeld Qb2 is restricted by default. The web interface & any other interface provided (e.g.gRPC-API) require authentication.

Factory credentials

Each Qb device receives unique credentials from the factory. The information required for the first operation is printed on the Qb label, located at the bottom of the housing.

Figure 1. Example device label containing serial number (S/N) & initial password (PW)

The relevant information in this example is:

Device serial number (S/N), set to ABC123XYZ.
Initial password (PW), set to password1234.

If the Qb device label is inaccessible or missing see Advanced section for further information.

Initial login

After connecting power and network to the device the web-interface can be accessed. Please take note of the default network setting and make sure, the device is obtaining a valid IP-Address in the network.

The web interface of the Qb device is only accessible via a TLS-secured connection (https and port 443). Each Qb device presents a unique certificate in order to establish the encrypted connection. This certificate is bound to the serial number and is signed by Blickfeld GmbH private certificate authority (CA). Browsers will display an error message (NET::ERR_CERT_AUTHORITY_INVALID) because the issuer of the certificate (Blickfeld GmbH) is not trusted by default.

Click to see how to manually trust the Qb device certificate

Browser displays NET::ERR_CERT_AUTHORITY_INVALID error message
Click on Advanced.
Click on Proceed to qb2-ABC123XYZ (unsafe).

Although the proceed action is marked as unsafe the resulting connection between the browser and Qb device is encrypted & authenticated after this manual acknowledgement.

For this example we assume the default network configuration. This means, an address was assigned to the Qb device via DHCP and it is reachable via the hostname https://qb2-ABC123XYZ.local/ based on the serial number ABC123XYZ found in the factory credentials.

Navigate to the Qb device hostname in your web-browser
- Hostname / URL: https://qb2-ABC123XYZ.local/
  
  Figure 2. Login screen for qb2-ABC123XYZ
Enter the initial Qb device factory credentials
- Password: password1234 (can be found in the Factory credentials).
  
  Figure 3. Enter factory device credentials
Click on Sign In to navigate to the Qb device dashboard.

Figure 4. Qb device dashboard after successful login

Your Qb device is now ready for the first operation.

Next steps

See how to change the network-settings and enable accessing Qb devices via Wifi.
Learn how to configure accessing Qb device via account settings and user management.

Advanced

If you have trouble following the regular instructions, here are some additional advanced resources.

My Qb device is running a firmware older than v2.0 and does not prompt for login

The user-authentication feature will only be available starting from firmware version v2.0. If the Qb device is running an older version please update to the latest available version. You can find ready to use installation-bundles on the Blickfeld Qb2 release page.

You can try to manually enable authentication:

Instead of opening the base-URL of the Qb device, navigate the the full login-URL:
- Hostname / URL: https://qb2-ABC123XYZ.local/cube/login/
Continue with entering credentials as described in the Initial login section

We strongly advise you to always run the latest available firmware on every device. You can find ready-to-install release-bundles on the Blickfeld Qb2 release page.

Having trouble retrieving the factory credentials for the current device?

In addition to the device label the factory credentials can be found in more places.

If information about the Qb device is unclear or lost, please contact Blickfeld Customer Service.

The serial number can be found as part of the packaging label on the shipment box.

Figure 5. Serial number (S/N) and QR-code on packaging label
The QR-code contains the serial number and the initial admin password. The information is stored as text.

Figure 6. QR-code containing serial number and initial password (S/N:PW)

Most camera-apps on mobile devices only show hyperlinks (URL) or contacts (vCard) by default. To read the QR-code please find an App which supports decoding plain text from QR-codes.

The device URL containing the serial number (e.g. https://qb2-ABC123XYZ.local/) is not accessible

If allowed, the Qb device announces its presence via Multicast DNS (mDNS). mDNS needs to be supported by the network-configuration and your local operating system. By attaching the .local suffix to the URL we can force the browser to also try finding Qb devices through the mDNS-table cached by the local operating system.

Depending on your network’s DHCP- and DNS-configuration the hostname might not be announced. Clients (e.g. your browser) will then fail to resolve the underlying IP-address of the Qb device.

Here are things to try in this situation:

Replace the hostname with an IP-address
- Find the IP-address of the Qb device from the network routing-table or using the arp and ping command (e.g. finding 192.168.1.42)
- In the Qb device URL replace qb2-ABC123XYZ.local with the Qb device IP-address 192.168.1.42
- In your browser navigate to https://192.168.1.42/
- Continue with step 2 of the initial login.
When accessing Qb device via the Fallback-IP
- In the Qb device URL replace qb2-ABC123XYZ.local with the Fallback-IP 192.168.26.26
- In your browser navigate to https://192.168.26.26/
- Continue with step 2 of the initial login.

How does authentication for Qb devices work and what features are available?

Authentication allows a curated access to data produced by Qb device. Different access levels ensure that sensitive data is never shown to unauthorized audiences. All features and technical details are described in account settings and user management.