Arlo|Smart Home Security|Wireless HD Security Cameras
Arlo Community

2FA + web app and API

Reply
Discussion stats
  • 5 Replies
  • ‎2019-09-04 12:43 PM
  • 2848 Views
  • 0 Likes
  • 3 In Conversation
Locutus73
Apprentice
Apprentice
‎2019-09-04 12:43 PM

Admins closed as resolved/implemented the discussion about the 2 factors authentication, because it's implemented in the iOS/Android app, but what about the web app and the API https://developer.arlo.co ?

I guess most attacks will use those surfaces and not smartphone apps.

Securing half of the system is no security at all.

 

Thank you in advance.

Best regards.

Labels:
0 Likes
Reply
Message 1 of 6
2,848
5 REPLIES 5
JessicaP
Arlo Employee Retired
‎2019-09-04 01:35 PM

Hi Locutus73,

 

The two-step verification works with the web client on your computer as well. You can read more about the two-step verification here: What is two-step verification and how do I set it up?

 

For the link you provided, that is from a training management software company, which is not affiliated or related by us.

0 Likes
Reply
Message 2 of 6
2,835
Locutus73
Apprentice
Apprentice
‎2019-09-04 10:24 PM

@JessicaP Ok, the link (documentation) is from an external company, but the APIs exist (and is yours), can be used (I use them every time for integrations, i.e. changing mode or setting off the siren from HomeKit) and are very nice... but are APIs protected by 2FA (I really don’t know, I’m asking)?

If I was an hacker trying to compromise some account I’d try using API and scripting.

 

Thank you in advance.

Best regards.

0 Likes
Reply
Message 3 of 6
2,799
Locutus73
Apprentice
Apprentice
‎2019-09-05 03:23 AM

I just made some tests and

  1. Old authentication API doesn't work if we activate the 2FA (but still works without enabling it)
  2. New authentication API lets register iOS/Android phones/tablets as trusted devices (not requiring further 2FA), but it doesn't (still) have a mechanism for trusting the web app, so users are required to confirm the login on the master iOS/Android device each and every time they access from the web

This way third party integrations require either

  • Disabling 2FA for the used account (usually a separate account from the master)
  • Enabling it and somehow mimic an iOS/Android device in order to be trusted and blessed forever
  • Wait for a mechanism in order to trust web app and mimic it

 

Thank you in advance.

Regards.

0 Likes
Reply
Message 4 of 6
2,781
rdkarlo
Aspirant
Aspirant
‎2021-04-20 08:18 AM

Hi!

 

I've been using a nodejs script with my arlo account to automatically download images from the cameras.

 

Now that my account has been forced to turn on 2FA, my scripts have stopped working.


Has anyone figured out how to get a RESTful APi client to work with arlo's 2FA?

 

Thanks,

Bobby

0 Likes
Reply
Message 5 of 6
2,198
rdkarlo
Aspirant
Aspirant
‎2021-04-22 01:07 PM

Hi!

 

I created a second web account but it looks like they force you to turn on 2FA and I don't see a way to turn it off.

 

Are you aware of a way to turn off 2FA?


Thanks,

Bobby

0 Likes
Reply
Message 6 of 6
2,143
Discussion stats
  • 5 Replies
  • ‎2019-09-04 12:43 PM
  • 2849 Views
  • 0 Likes
  • 3 In Conversation

Arlo
Support

Visit our support page for answers from simple setup to security optimization. Search for something specific or select a product or category for helpful articles and videos.

Visit Arlo Support

Arlo App
for Support

For personalized support specific to the Arlo products you own, access Support from within the Arlo iOS or Android App. Simply login to your Arlo App, go to Settings, Support, then select the Arlo product you would like support for.