Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.

Reply
Discussion stats
  • 5 Replies
  • 2189 Views
  • 0 Likes
  • 3 In Conversation
Locutus73
Apprentice
Apprentice

Admins closed as resolved/implemented the discussion about the 2 factors authentication, because it's implemented in the iOS/Android app, but what about the web app and the API https://developer.arlo.co ?

I guess most attacks will use those surfaces and not smartphone apps.

Securing half of the system is no security at all.

 

Thank you in advance.

Best regards.

5 REPLIES 5
JessicaP
Arlo Employee Retired

Hi Locutus73,

 

The two-step verification works with the web client on your computer as well. You can read more about the two-step verification here: What is two-step verification and how do I set it up?

 

For the link you provided, that is from a training management software company, which is not affiliated or related by us.

Locutus73
Apprentice
Apprentice

@JessicaP Ok, the link (documentation) is from an external company, but the APIs exist (and is yours), can be used (I use them every time for integrations, i.e. changing mode or setting off the siren from HomeKit) and are very nice... but are APIs protected by 2FA (I really don’t know, I’m asking)?

If I was an hacker trying to compromise some account I’d try using API and scripting.

 

Thank you in advance.

Best regards.

Locutus73
Apprentice
Apprentice

I just made some tests and

  1. Old authentication API doesn't work if we activate the 2FA (but still works without enabling it)
  2. New authentication API lets register iOS/Android phones/tablets as trusted devices (not requiring further 2FA), but it doesn't (still) have a mechanism for trusting the web app, so users are required to confirm the login on the master iOS/Android device each and every time they access from the web

This way third party integrations require either

  • Disabling 2FA for the used account (usually a separate account from the master)
  • Enabling it and somehow mimic an iOS/Android device in order to be trusted and blessed forever
  • Wait for a mechanism in order to trust web app and mimic it

 

Thank you in advance.

Regards.

rdkarlo
Aspirant
Aspirant

Hi!

 

I've been using a nodejs script with my arlo account to automatically download images from the cameras.

 

Now that my account has been forced to turn on 2FA, my scripts have stopped working.


Has anyone figured out how to get a RESTful APi client to work with arlo's 2FA?

 

Thanks,

Bobby

rdkarlo
Aspirant
Aspirant

Hi!

 

I created a second web account but it looks like they force you to turn on 2FA and I don't see a way to turn it off.

 

Are you aware of a way to turn off 2FA?


Thanks,

Bobby

Discussion stats
  • 5 Replies
  • 2190 Views
  • 0 Likes
  • 3 In Conversation