Arlo|Smart Home Security|Wireless HD Security Cameras

2FA + web app and API

Reply
Discussion stats
  • 3 Replies
  • 365 Views
  • 0 Likes
  • 2 In Conversation
Highlighted
Apprentice
Apprentice

Admins closed as resolved/implemented the discussion about the 2 factors authentication, because it's implemented in the iOS/Android app, but what about the web app and the API https://developer.arlo.co ?

I guess most attacks will use those surfaces and not smartphone apps.

Securing half of the system is no security at all.

 

Thank you in advance.

Best regards.

Highlighted
Arlo Moderator
Arlo Moderator

Hi Locutus73,

 

The two-step verification works with the web client on your computer as well. You can read more about the two-step verification here: What is two-step verification and how do I set it up?

 

For the link you provided, that is from a training management software company, which is not affiliated or related by us.

Highlighted
Apprentice
Apprentice

@JessicaP Ok, the link (documentation) is from an external company, but the APIs exist (and is yours), can be used (I use them every time for integrations, i.e. changing mode or setting off the siren from HomeKit) and are very nice... but are APIs protected by 2FA (I really don’t know, I’m asking)?

If I was an hacker trying to compromise some account I’d try using API and scripting.

 

Thank you in advance.

Best regards.

Highlighted
Apprentice
Apprentice

I just made some tests and

  1. Old authentication API doesn't work if we activate the 2FA (but still works without enabling it)
  2. New authentication API lets register iOS/Android phones/tablets as trusted devices (not requiring further 2FA), but it doesn't (still) have a mechanism for trusting the web app, so users are required to confirm the login on the master iOS/Android device each and every time they access from the web

This way third party integrations require either

  • Disabling 2FA for the used account (usually a separate account from the master)
  • Enabling it and somehow mimic an iOS/Android device in order to be trusted and blessed forever
  • Wait for a mechanism in order to trust web app and mimic it

 

Thank you in advance.

Regards.

Discussion stats
  • 3 Replies
  • 366 Views
  • 0 Likes
  • 2 In Conversation