Arlo|Smart Home Security|Wireless HD Security Cameras
× Urgent: Activate Two-Step Verification
Arlo requires all users to activate two-step verification to continue to access your recordings, devices, and account.
Please enable this feature now. Learn More.

2nd factor Authenication added to the login process

Hello,

 

I tried to search for this idea, but didn't see anything.

 

I would like to see 2nd factor authenication options added to the login process.

 

Thanks

Comments
fax_
Tutor
+1 for 2FA, very surprising this is not yet available considering that nowadays an unintentional failure from Netgear or the user side is always around the corner.

Ok team, It's time to take security more seriously. We need a multi-factor authentication software update. I am seriously considering shutting off my $1,400 investment in Arlo equipment if this does not get resolved.

Frbg
Fledgling

Hey thanks4thefish,

 

Unfortunatly, they dont care, you spent your money, they ignored our pleas to add 2fa which the most basic form of security and here we are.

 

They have shown the are only interested in selling the units and what happens after that they dont care.

 

The only way they are going to do anything about this is if enough media cover the fact the arlo accounts are breached as it might affect sales, MAYBE then they will do something.

Jetski44
Tutor

Well it’s hapoened... NetGear suspects a hack so chances are they have been hacked 

 

Had they deployed MFA over a year ago the post ARLO sent telling us to change our passwords would not be as significant concern as it it now 

 

 

Ndxc
Novice
Based on the message from netgear this morning, they and our accounts have clearly been compromised. It's long overdue that netgear adds in multifactor authentication. Passwords are not enough protection especially for a security product. Please ignore the vote count and just add this feature!! Everyone, please vote so we can have our accounts protected properly!
oceanfish
Novice

This is an absolute must. Implementing multifactor authentication greatly improve the security of using wifi baby monitors. Additionally, our accounts should see allow devices who are authenticated with the camera.

arloMassachuset
Fledgling

Agreed. We've been patient. 
Let's continue to love our Arlos and feel safe. 

Two Factor Authentication ASAP  and then please... 

Authorize Tokens (Authorize Apps, Computers, IP Addresses)
Log of  Logins  w/ Machine Names

Devs please : Drop in a solution like https://authy.com/ now and then do all the home-brewing you want later. 

Devan
Tutor

I would also like a history of logins with phone imei and ip. It should also show failed login attempts.

GoalSecurity
Tutor

I agree on adding the option of using 2FA, there's no reason for a security product to not be completely secure, other than the company doesn't feel it has resources to impliment it. In other words, that level of security isn't important vs. other development.

Along those lines, it's hard to feel confident about a company that still requires using Adobe Flash to use their web interface. If they still haven't dedicated resources to coding an HTML5 solution to replace Flash, what other security issues we can't see are not being addressed adequately? Another sign that security is taking a backseat?

Now there's a very unclear security warning from this company. IMO, the warning infers that hackers are attempting to log in using passwords obtained from another website. If this is the case, I assume there has been a spike in login attempts that mostly fail, and that anyone who uses unique passwords on every website is completely safe. However, the company isn't making this clear at all, which leaves us very much in the dark. The lack of info, along with the overall recommendation that "all" users change their passwords "immediately" is a bit worrisome, IMO.

"At this stage, we have no reason to believe our own systems have been impacted." This statement seems a bit watered down, in terms of confidence. And what does "impacted" even mean? Could user login credentials have been stolen, but the company still can frame it as if their system wasn't "impacted"? Is the company issuing assurances that all passwords are stored safely, never in plain text, etc.? If the company is seeing tons of failed login attempts, it seems like they would issue a stronger statement about confidence that their systems have not been breached.

I hope I'm being paranoid, and that soon it's clear that the company wasn't breached, and that they do store user's credentials in a safe manner. But so far, I think anyone paying attention would not have reason to have confidence. “We take the privacy and security of your account and personal information very seriously” -so why still Flash and why no 2FA?

Rugbychix
Tutor

There's only really two possiblities regarding the "breach,"

Arlo's private API for partners doesn't enforce some flavor of oauth and is actually storing user name and password. One of those partners had security breach and the passwords leaked.


Someone offering a non-official Arlo integration, using non-official APIs, which requires user name and passwords, had a security breach.

In either case these are both unacceptable in 2018 and before we talk MFA or anything else, they need to go back and cleanup the API/Auth situation.