topic Re: Mandatory Two-Step Authentication (Verification) a Bad Idea in Arlo

Mandatory Two-Step Authentication (Verification) a Bad Idea

ChrisKay — Sat, 07 Mar 2020 14:51:28 GMT

Making this mandatory is an exceedingly bad idea since it will slow down authentication and when it breaks—and it occasionally will—it will prevent access completely. At least give the end-user the option of deciding how much protection to require for the account.

Two-step verification

Retired_Member — Sat, 07 Mar 2020 16:51:14 GMT

As suggested in the recent email, I set up two-step verification on my Android phone. But every time I log in from my desktop and laptop, I have to go through the authorization. There is no way to make them trusted devices. I cannot understand why this is so difficult. I will be turning off the two-step until this is resolved.

Instead of implementing a poorly executed security method, it's time to get rid of Flash in the browser!

Re: Two-step verification

TomMac — Sat, 07 Mar 2020 18:55:55 GMT

Having issues too with SMS, but email works.

But every time , come on!

But, to be honest, I'm not going to use email every time I access via the web... it's a pain ( since I do 80% of access via web )

two step verificaton

ksss11 — Sat, 07 Mar 2020 21:30:17 GMT

I just read the email about the 2step verification and did it.

Does anyone know if I am going to have to do this EVERYTIME we sign in? Seems like it will be a BIG time waster when you need to get on in a hurry. Our phones are not conjoined to our bodies like most people these days and seems like this is going to be an unnecessary hurdle to jump when we need to go 'live" quickly.

2FA needs additional options for Arlo to remain accessible to me and others.

SJohannsen — Sat, 07 Mar 2020 22:39:43 GMT

While 2FA is a worthwhile addition, the current implementation, once required, will make Arlo useless at work for me. Ring has already made it mandatory, and has ruined Ring for me. Here's why.

You can have a code sent via text. I work on a secure enclave and cannot have my cell phone in the building at all, so this is not an option.

You can have a code sent to your registered e-mail. This is of course my personal e-mail, and this is blocked at work for security reasons. I cannot access my personal e-mail. (keeps people from clicking bad links in their e-mail. Work e-mail is highly filtered)

So, I will no longer be able to access Arlo at all from work.

There are options that could be implemented. 1) offer to use a different verified phone number, but the code would have to be delivered via voice. Synthesized is fine. 2) Allow additional e-mail addresses to be entered and selected. This would not let me enter any e-mail, just select from 1 or 2 that were pre-vetted. Some systems even ask for the e-mail and then compare it to any on file. If it matches one the code is sent there.

Without one of these additional options, when 2FA becomes mandatory, Arlo will be useless to me for the majority of the day.

I can tell you I am not unique in not being able to have a cell phone, or access personal e-mail at work.

Re: Two-step verification

Kevin_In_Ky — Sun, 08 Mar 2020 04:01:04 GMT

Clearly they have rolled this out before its been fully baked. I too get prompted to verify two step verification every time. Its not saving my device. Please fix this before you force everyone to 2 step. I want to use it, but will turn it on after you have fixed the defect.

Two-step verification

Schemer — Sun, 08 Mar 2020 13:03:06 GMT

Two-step verification is a great security measure for many applications, but will be very problematic for some Arlo users like myself. Unless you can set the verification up so that more than one device receives the code, this will not work for many people. Most households have more than one person in them who need awareness when a device detects movement. Same-account users in different places at the same time need to all be able to see the code, or this will not work. Not a great solution for this tech unless you can set the account up to send the verification code to more than one device.

Re: Two-step verification

TomMac — Sun, 08 Mar 2020 13:17:00 GMT

Several threads on this, here's one;

https://community.arlo.com/t5/Community-Feedback/Two-step-verification/m-p/1760890#M4454

Re: two step verificaton

storgeman — Sun, 08 Mar 2020 16:34:13 GMT

Yes this is a waste of time. For example on my PC, I have to login TWICE to get get logged in once. Why, Arlo still requires the use of Flash player, which all modern day browsers require permissions to use Flash Player. That means I log in select permission to use Flash Player, I get logged out immediately and have to log in again to actually start a live recording. Now with 2step verification, I will have to receive 2 authorization codes before I can get logged in.

Sad state.

Re: Mandatory Two-Step Authentication (Verification) a Bad Idea

StephenB — Sun, 08 Mar 2020 20:58:19 GMT

@ChrisKay wrote:

Making this mandatory is an exceedingly bad idea

I agree, and I hope they reconsider.

Re: Two-step verification

StephenB — Sun, 08 Mar 2020 21:22:28 GMT

I think mandatory 2FA is a mistake (even if they actually get it to work properly).

Re: two step verificaton

ksss11 — Sun, 08 Mar 2020 21:28:49 GMT

yes this is not user friendly anymore. My bank and some other sites automatically register this device just once and I do not have to do this.

Re: two step verificaton

Puterwade — Mon, 09 Mar 2020 12:09:21 GMT

I agree. When on my iMac, and want to see a camera quickly, this 2 step stinks. On my iPhone, I can use face recognition but not on the iMac. I don't like this.

Re: Two-step verification

Chris53 — Mon, 09 Mar 2020 12:40:35 GMT

I had to disable 2 step because Arlo required using every time. I will be replacing Arlo with Simply Safe if this problem is not fixed by the time the roll out at the end of the year.

Re: Mandatory Two-Step Authentication (Verification) a Bad Idea

jimmccabe — Tue, 10 Mar 2020 16:33:39 GMT

I agree strongly. I'm a huge fan of 2FA but am really disappointed by the Arlo implementation. I was excited to enable it this morning but turned it off after 30 minutes or so because it is really flawed.

Everyone seems to be in agreement that the main flaw is that the web-based login requires you to re-authenticate every single time. That's a nuisance because the sessions are so short-lived. For example this morning I logged in, left the tab for a little while (roughly 15-20 minutes) and the session was already expired. The solution is to identify the device (app, browser, etc) as "trusted" for some period like 30 days.
It's also problematic that the primary 2FA approach is SMS, since that's known to be easier to hack than other approaches (like Authy / Google Authenticator / etc).

If Arlo keeps makes 2FA mandatory without fixing these problems, I will definitely consider replacing our Arlo cameras with more Simplisafe cameras (we have a mix of both).

Re: Mandatory Two-Step Authentication (Verification) a Bad Idea

MichaelUrs — Tue, 10 Mar 2020 18:06:46 GMT

Please:

Let the users decide, if they want to have 2FA or not. In addition to the arguments listed already in the messages before, I have integrated my Arlo Cams and Lights into my Home Automation system by making Web calls against the Arlo API. I know that this is a use case which might not be officially supported, however it is working great and it is one of my reasons to use Arlo and not another cam. Certainly a mandatory 2FA will break that integration as I cannot log in unattended. Maybe, some kind of application password might solve that issue (as it is normaly done with other providers using 2FA, like e.g. Google etc.)

The other reason is that it is time intensive if you need to put in your second factor every time you login. And you always need to be able to receive the second factor so what you are doing if you want to login from a remote computer without having access to your smartphone?

It really would be a bad idea to force users to use 2FA, so PLEASE re-think your decision again!

Thanks!

Re: Mandatory Two-Step Authentication (Verification) a Bad Idea

JohnV81 — Wed, 11 Mar 2020 00:55:24 GMT

2FA is a good idea as we need to be secure. However, most systems that require 2FA also have a way to get a device (or app) specific passcode that can be entered and used without having to re - enter it every time.

Please add this functionality before this is mandatory.

Re: Mandatory Two-Step Authentication

BP2 — Wed, 11 Mar 2020 18:24:26 GMT

Mandatory 2FA is a bad idea. Here's why;

I have a growing wireless camera business. When time matters, 2FA hinders a response. For example, when viewing an active situation of any kind (fire, water damage, etc.) or equipment failures (HVAC, chillers, boilers, etc); taking time to execute 2FA will delay and possibly inhibit a response. Business clients prefer simplicity over two-step verification; They want live video that's easy to access. Mandatory 2FA is not that. As such, we would drop Arlo because of this.

Further, I don't see a need for simpler use cases.. a simple construction site or animals in the wild (Arlo Go website). We should have the option; but a blanket requirement puts undue hardship on users. If you purchase a house, your not required to install 5 locks on your front door. It's your house, you secure it how you want. Same applies for cameras and portals purchased from Arlo.

I have demand for many Arlo cameras. In the end, I'll have to switch to another solution; turning down all Arlo wireless devices and LTE coverage tied with it, and request refunds as this isn't what was originally promoted.

Arlo is a broad spectrum and multi-use. This would put financial hardship on my business. Please reconsider mandatory 2FA.

Thanks.

Re: Mandatory Two-Step Authentication (Verification) a Bad Idea

k_glasik — Sat, 14 Mar 2020 16:23:03 GMT

I agree mandating 2FA is a bad idea. 2FA is generally good and Arlo can implement it BUT I believe accounts should have the ability to turn it off or Arlo should support 'app passwords' like Google and most other 2FA providers do. If this becomes mandatory my family will lose much of the benefit of Arlo's flexibility.

If this gets implemented I will need to cancel my Arlo smart subscription.

Re: Mandatory Two-Step Authentication (Verification) a Bad Idea

friuliveneto — Mon, 16 Mar 2020 18:55:59 GMT

"Bad Idea" is an understatement. With the Flash run around it takes me a couple of minutes to check a camera. I try to log in, but have to authorize Flash *each* *time* and that makes it so that my session expires and I have log in again and wait for an authorization code again. What a mistake.