Profile S Deprecation Q&A

When will support for Profile S end?
Support for ONVIF Profile S will end on March 31, 2027. After March 31, 2027, it will not be possible for manufacturers to submit new products, or older products with new firmware/software versions, for Profile S conformance.

Why is Profile S being deprecated?
Profile S mandates the use of username token authentication. Due to the evolving nature of the cybersecurity threat landscape, the authentication method is no longer consistent with current cybersecurity recommendations.

Can end users still use Profile S even though Profile S is deprecated?
Yes, you can still use Profile S for basic video streaming between Profile S conformant devices and client, but for security reasons, ONVIF strongly encourages customers to discontinue the use of the username token authentication method and choose instead more secure authentication mechanisms like digest authentication supported in Profile T or through TLS (HTTPS mode).

What level of risk is there in continuing the use of the username token authentication?
The username token authentication is regarded as too weak today to protect against unauthorized access to devices. If it is not possible to discontinue its use, end users should consult their IT and cybersecurity teams for ways to enhance safeguards to the system.

As an end user, what happens to my Profile S conformant products?
As long as a device or client with a specific software or firmware version is registered as having Profile S conformance, it will remain conformant until the manufacturer decides to withdraw the Declaration of Conformance. Existing Profile S conformant products will remain interoperable with other Profile S conformant products regardless of whether a Declaration of Conformance is withdrawn by the manufacturer.

Will Profile S integrations continue to work?
ONVIF does not require the removal of any existing ONVIF implementations in products, so it will depend on the decisions made by individual device and client vendors. If ONVIF member vendors choose to remove the ability to use the username token authentication method in newer firmware/software versions for existing products, the products will no longer be Profile S conformant and this can affect interoperability for systems that rely on the use of the username token authentication mechanism. These decisions are subject to the discretion of the individual ONVIF member company.

Why can’t Profile S be updated to address the vulnerability?
To ensure interoperability of conformant products indefinitely (backward compatibility), the ONVIF Profile Policy does not allow modifications to be made to a profile’s specifications. Enforcing a new mechanism would break interoperability between new and legacy conformant products.

What will replace Profile S?
Profile T is a replacement for Profile S since Profile T contains virtually all the features of Profile S.

What are the features in Profile S that are not covered in Profile T?
The following supports in Profile S are not covered in Profile T:
– Username token authentication
– IP address filtering
– Motion JPEG (MJPEG) and MPEG4
The above features may still be natively supported by a product, but they are not covered under ONVIF Profile T.

What are the additional key features that Profile T provides and why are they advantageous over Profile S?
Profile T supports the following:
– Digest authentication, which provides better security than username token authentication
– H.264/H.265 for more modern and efficient video encoding
– RTSP and HTTPS (if there is native support) for more secure communications
– Imaging configurations for optimizing video quality
– Motion alarm and tampering events to enable automatic detection and response to events
– Audio output streaming (if there is native support) to enable audio response over a loudspeaker
– PTZ control made mandatory for clients for assured support for PTZ cameras
– Metadata streaming (mandatory for devices, conditional for clients) to deliver metadata for other uses such as event management
For a comparison, see the ONVIF Profile Feature Overview.

What cybersecurity best practices does ONVIF recommend for IP-based physical security products?
ONVIF recommends following local regulations, industry best practices, and staying on top of updates from the marketplace. ONVIF has outlined a general, non-exhaustive set of recommendations for best practices within cybersecurity. The recommendations should not be considered as the only source or guideline to combat cybersecurity threats. In addition to the recommendations, ONVIF supports TLS (Transport Layer Security), a secure communication protocol that allows ONVIF devices with that feature to communicate with clients across a network in a way that protects against tampering and eavesdropping.

ONVIF has also specified the ONVIF Default Access Policy (Ref. ONVIF Core Specification – 5.9.2.4 Default Access Policy), which provides an acceptable level of security in many systems. This policy specifies that there should be different access classes to services based on different user roles (Administrator, Operator, Usehttps://members.onvif.orgr).

Member manufacturers with questions should visit the Member Portal.

ONVIF
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies (placed on your device) to improve website performance, to follow navigation, and for analytical purposes. For more information about this website's cookies and how to disable cookies used on this website, see our Privacy Policy. By clicking “I agree” you agree to our use of cookies and similar technologies.