Arlo|Smart Home Security|Wireless HD Security Cameras

2nd factor Authenication added to the login process

Hello,

 

I tried to search for this idea, but didn't see anything.

 

I would like to see 2nd factor authenication options added to the login process.

 

Thanks

Comments

Couple of things I'd like to see addressed:

 

  • No ability for users to change the login (email address used for signup) themselves
  • No access to logs to determine if an outside source (different IP) has signed into the system.  Gmail has a good example, found in the lower right corner, including a msg highlighted in yellow when an unusual IP is in the log
  • Two factor authentication for accessing an account - HTTPS and a limit of 5 logins per time period are not enough
Novice

It's very common these days for hackers to crack passwords. My email account was recently hacked, and I had a strong password. Enabling 2-step verification solved the problem now and forever.

 

Will arlo's website be upgraded to add 2-step verification? Without that feature, what prevents a hacker from signing in and accessing my cameras? 

 

A "security" system without 2-step verification is insecure. Thoughts?

 

Thanks,

Dennis

Community Manager

DK_WA,

 

I have relocated this topic to the Arlo Idea Exchange.

 

Thank you for your contribution,

JamesC

Novice

I agree with this customer. Please provide Two Factor authentication for acessing an account. Passwords are too easy to hack with keyloggers and the likes nowadays. 

 

Also a report of the IP addresses accessing an account would also be much appreciated. Even Netflix provides this.

 

Thank you.

Fledgling

I agree on the two factor authentication (2FA) suggestion above.  Below is a excerpt from a discussion thread I head with their support.  They asked that I post this in the community.

 

Firstly, they responded to my request for 2FA with the following:

"at the moment the Arlo system is designed to maintain the highest level of security to keep your videos private and secure in the cloud by using AES encryption. AES encryption protects your information. This is the same encryption method that financial institutions use to safeguard user data. AES-128 bit encryption and Transport Layer Security (TLS) ensure that your Arlo camera videos are secure to and from the Arlo camera and base station."

 

 

I responded to their support with the following:

"I know well what transport layer security (TLS) is. If you check Qualsys SSL Labs for your domain you'll find Arlo only gets a B rating for TLS security as opposed to an A (or A+) rating. https://www.ssllabs.com/ssltest/analyze.html?d=arlo.netgear.com . You should really pass this on to your security team so they can further harden your services. Most importantly, transport layer security (TLS) doesn't offer the same protections (i.e., it doesn't solve the same problem) that two factor authentication (2FA) does. Also, data encryption at rest is fantastic, and I'm happy to hear that Arlo uses encryption of the data at rest, but encryption at rest also doesn't solve the problem of someone logging into the web portal with my username/password and viewing my videos. 2FA offers better protection against someone getting MY password and logging in with it and snooping on me and my family. With 2FA support, in addition to my password, the would-be-attacker would need a code (that would reside with me on my phone or other device, e.g., using Google Auth) that would need to be entered in addition to my password - and MAY offer me the ability to remember and trust the device I am logging in with for a period of time. 2FA is really a must to when it comes to showing you take security seriously. Please do confirm whether or not this is on your roadmap. If it's not, please do pass this on as a product improvement suggestion to your team!"

 

The phone APP should take an APP ID in the 2FA setup so that it's always authorised (or you should let the 2FA be bypassed if the users chooses to use the biometric auth on the phone)

 

As the second person who responded said, I think an alert on new IPs/devices/broswers that have connected to the service is also worthwhile sending (I believe FaceBook and Apple do this) as it helps legitmate users be alerted to their account being somehow compromised.

 

I also support the ability to change your email address associated with the account.

 

Thank you!

 

 

 

Novice

I guess there is still no 2 factor authentication for logging in to the online My Arlo portal. I have already started evaulating different products that provide a more secure solution. Anyone can hack a password nowadays. It is disappointing that arlo has left such a big hole in thier security unplugged.

Fledgling

I just asked again to support to add 2FA because I cannot imagine sensible data like your video streams be only protected by a password.

Has this been implimented yet? 

 

I brought the security system because I suspect I have a hacker. If they are just able to get into the account and delete without me having the ability to undelete what was there then how is this going to help me?

 

Can a permanent storage also be implemented for the 7 day period so it can be seen by the account owner? This is where the deleted files would be kept. I thought this was the 7 day period when I picked up arlo too (nothing is lost for 7 days). 

 

Due to circumstances, if these items are not upgraded within the next 5 business days I will be returning them to Best Buy so that I can get security somewhere else. Please let me know.

 

I am really happy with the arlo's picture quality and motion detector. I just thought I picked up security system.

Novice

Hello,

 

Strange to see it's not available from vendor like NETGEAR and for product that deals with SECURITY 😞

Community Manager

The Arlo development team routinely reviews posts in the Arlo Idea Exchange to assess which features the community would like to see implemented. We greatly appreciate the communities contribution and will keep the status of this idea updated as we get new information on it's potential implementation. Thank you for posting your idea!

 

Thank you,

JamesC