Arlo|Smart Home Security|Wireless HD Security Cameras

Lack of support for 2FA other than email and SMS. Support for OTP authentication apps and devices.

Why does Arlo only allow text message based 2FA? Why can't we use a proper authenticator app like Google Authenticator?

Comments
JessicaP
Arlo Employee Retired

Hey Right_Mreow,

 

When we designed two step verification, we optimized for the three methods that would be most familiar, but also most secure, for our users: SMS text message, email, and another trusted device that is already logged into the user’s Arlo account. SMS text message is not required for Arlo two step verification; a user can opt to authenticate a new login or device via a currently trusted device.

 

However, this is a great feature idea that we’ll be discussing with our development teams! I'll move your post to the Idea Exchange board. The Arlo development team routinely reviews posts in the Arlo Idea Exchange to assess which features the community would like to see implemented. We greatly appreciate the community’s contribution and will keep the status of this idea updated as we get new information on its potential implementation.

dgoepp
Initiate

Like everyone, I got the enable 2FA email recently, and was glad to get it. I enable 2FA on any service that supports it. What I was disappointed in was the lack of support for an option other than email and SMS. Very lame. Both those methods have been demonstrated to be easily bypassed. I only trust apps that do OTP. This is a lazy implementation, and far behind the times. Get it together Arlo...enable true 2FA with support for OTP authentication apps and devices. I guess better than nothing, but still disappointing.

DaveMays
Novice

Agree. The OTP implementation in a mobile application is trivially easy, and would cost Arlo less than having to sent SMS messages.

SMS message 2FA has been proven insecure

Push notification 2FA also has weaknesses

OTP would be far preferable.

Retired_Member
Not applicable

This is not true.

I just tried to enable 2FA and it asks for a phone number.

There is no way to proceed without providing a phone number.

 

That means that from the next year I will have to provide you with my phone number, to use my cam.

If not, I won't be able to use my camera, that I have purchased.

You basically want to change a purchase contract, after it has been agreed.

You cannot do that legally (at least not in EU).

JessicaP
Arlo Employee Retired

Hi dziad,

 

You shouldn't need to enter your phone number when setting up two-step verification. You can read more about it here: What is two-step verification and how do I set it up?

E1H
Fledgling
Fledgling

2fa with ONLY SMS  is, well, poor at the best and very very bad at the worst

according to NIST in July2015 sending SMS OTP is insecure "Due to the risk that SMS messages or voice calls may be intercepted or redirected" and "Out-of-band authentication using [SMS or voice] is deprecated, and is being considered for removal in future editions of this guideline".

 

According to GRC.com Steve Gibson  in 2018  episode 675 when reddit had issues with their 2FA "we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept."

 

According to CNET Apr 8, 2020 "Hackers have been able to trick carriers into porting a phone number to a new device in a move called a SIM swap. It could be as easy as knowing your phone number and the last four digits of your Social Security number, data that tends to get leaked from time to time from banks and large corporations." 

 

Instead why not use Authy or Google Authenticator, or Microsoft Authenticator or any other token generator that we know works?

 

if this continues and we MUST use an 2FA ( which I generally like ) can we not get the option for one of the above mentioned TOTP apps? Otherwise I'll have to junk these cameras and use something else.

 

X181
Fledgling

Hi

I get notifications for setting up a two factor autentication until the end of the year. The only available option is SMS. Are you serious about that? Until when are you supporting state of the art two factor authentication like Universal 2nd Factor (U2F) https://en.wikipedia.org/wiki/U2F?

SMS is not working in areas where there is no mobile network. It's also not working if you are not allowed to use your mobile phone, but still have access to the internet. SMS has also not the same level of security. With SMS you have also not the possibility to setup a backup device in case the primary device gets stolen or is lost or damaged.

Best

 

FerLon41
Aspirant

PLEASE. DO NOT DO IT !!!!!!!

I had already a very bad experience with my banks. The code is supposed to arrive with a SMS. Unfortunately often or almost every time the SMS arrives too late (TIME OUT).

If NETGEAR decides anyhow to adopt it it should be on a voluntary basis. That is, the responsability is left to the user who decides if he wants or not to accept the risk.

BlueHorse
Guide

I log in and out of my Arlo Pro app up to 20 or so times most days. If being required to enable TFA then forces me to have to go through the TFA process each time that I use the camera application, then I will through away the $100's I have invested in Arlo products and find something else.

 

A better, perhaps, choice would be to enable the application to accept Yubi Key authentication (which is available for iOS and possibly others). Having to insert and go through the authentication process (plug in, prompt, initiated key response, wait for application verification) is bad enough, but still preferable to the "old style TFA" process.

I'd like to see additional MFA options for logging into the account. Currently only SMS is supported. Given the prevalence of authenticator apps, there's little reason not to support their use, particularly given the inherent security concerns around SMS.