Arlo|Smart Home Security|Wireless HD Security Cameras

Browser vs app

Reply
Discussion stats
  • 17 Replies
  • 449 Views
  • 0 Likes
  • 4 In Conversation
AikaneKai
Apprentice
Apprentice

 

Computer:

  • Stays at home (where I live alone)
  • Doesn't travel with me
  • is in a locked house (when I'm not there)
  • has built-in screensaver which requires a password to unlock


iPhone:

  • Travels with me *everywhere and always*
  • could be accidentally left behind
  • could be easily stolen
  • frequent target of hackers
  • has built-in screensaver which requires a password to unlock


iPad:

  • Travels with me on long trips
  • could be accidentally left behind
  • could be easily stolen
  • frequent target of hackers
  • has built-in screensaver which requires a password to unlock

Can someone please explain to me why the computer, which is far less vulnerable than the other devices, is required to re-authenticate every 2 weeks (although it's more frequent than that), but the others aren't?

I don't like 2FA for my cameras. I get that it's implemented not for our safety, but for the liability of Arlo and we don't have a choice in the matter (even though I bought years before they implemented it), but seriously, what is the point in how it's implemented on the browser? Can anyone explain this?

17 REPLIES 17
AikaneKai
Apprentice
Apprentice

I guess the answer is no, no one can answer this.  Is there any way to explain to Arlo how monumentally stupid this is?

AikaneKai
Apprentice
Apprentice

Why s this still happening?  This is such a stupid waste of time.


Can one of you mods please re-express to the design team or whomever is responsible for this STUPID process that it makes no sense.

 

I am sitting here, on my computer, so as a safety feature I get a text on my computer telling me to use the code, from my computer to my computer.  Seriously stupid.

 

Can you please get an answer as to why this is still in place and when they're going to get rid of it? 

We never hear anything from the people making these stupid decisions.

Dannybear
Master
Master

Just to help out with understanding the arlo 2FA dance.

 

All arlo mobile and web apps are automatically logged out every 2 weeks regardless of background operating conditions. i.e. you cannot extend the expiration date of the session just by opening and closing the app.

 

For mobile apps with run in background enabled, to extend the session you need to force the app to logout manually using the settings/privacy centre/account/active sessions menu then logout all sessions. Then go to each device and reopen the app to login again.

Then set a reminder on your mobile to repeat this process every two weeks. This is especially important to maintain push notifications and have geofencing reliably.

 

For web browser it is slightly different, the sessions only last two weeks if you keep the pc powered(unless you hibernate), you don’t update OS or browsers. Once you change something on the pc the session is expired and a 2FA dance is required again.

 

The purpose for the 2FA is more to protect the arlo servers from attacks rather than protect your privacy at a guess.

 

But considering the privacy issues experienced by other brands it is good to know a hacker will have just as much difficulty getting into your account as you will.

 

 

 

 

 

StephenB
Guru Guru
Guru

@Dannybear wrote:

 

The purpose for the 2FA is more to protect the arlo servers from attacks rather than protect your privacy at a guess.

 


I think mandating 2FA was in response to a wave of news reports like this one:

AikaneKai
Apprentice
Apprentice

@Dannybear

Your information is incorrect.

>All arlo mobile and web apps are automatically logged out every 2 weeks.

Logged out, not unauthenticated. My browser has to re-authenticate every two weeks. It has to log back in every 30 minutes. On my phone, all I have to do is log back in, and since it stores my username and password, all I have to do is click one button. This is stupid.

>the sessions only last two weeks if you keep the pc powered

Not true. I have to re authenticate every two weeks regardless. I have to re-login every half-hour (unbelievably stupid), or if I refresh the page, meaning no local cookie is set like it used to be when I bought this pathetic system.

Now they've screwed with this forum and I can't format properly. Please learn to code!

StephenB
Guru Guru
Guru

@AikaneKai wrote:

>the sessions only last two weeks if you keep the pc powered

Not true. I have to re authenticate every two weeks regardless.


@Dannybear was saying that the re-authentication is needed whenever you restart the PC, even if it hasn't been two weeks. In other words, the sessions are at most two weeks. Which is correct.


@AikaneKai wrote:

I can't format properly.


If you mean the problem with rendering blank lines, then I agree that is frustrating. I reported it to @JamesC, hopefully it will be fixed soon.

AikaneKai
Apprentice
Apprentice

>Dannybear was saying that the re-authentication is needed whenever you restart the PC, even if it hasn't been two weeks. In other words, the sessions are at most two weeks. Which is correct.

No, that's not correct. I shut my computer off every single night, no exceptions. I have to re-authenticate every two weeks. I have to re-login every 1/2 hour.

On my phone, I have to re-login every 2 weeks, not re-authenticate, ever.

DannyBearAgain
Tutor
Tutor

When using the web browser to login to the my.arlo.com login page the website java code checks the 2FA session cookie that is stored in the browser site storage to see if it has expired.

If the cookie has expired then the browser will request a 2FA authorisation before it will proceed with the login. After the login successfully succeeds it sets a new expiry cookie date for 2 weeks time.

The 2FA request is also initiated at the next login attempt if the pc has been previously powered off or shutdown unless you’re using hibernate mode instead.

DannyBearAgain
Tutor
Tutor

When using the mobile app the same expiry feature applies but if you’re mobile has been set as the primary 2FA device for requests then this not actioned as a request and so will just relogin the mobile device transparently.

If you don’t open the mobile app, then after 2weeks the app running in the background logs out and so geofencing and notifications stop working until you open the app and log back in.

I have since seen recent advice that for mobile devices the expiry period has now been increased to 6 months.

StephenB
Guru Guru
Guru

@AikaneKai wrote:

No, that's not correct. I shut my computer off every single night, no exceptions. I have to re-authenticate every two weeks.


Interesting, as I often have needed to reauthenticate after a reboot. So my experience is different from yours (and in line with what @DannyBearAgain says). Though it is possible that Arlo has made some changes with this, and I might be recalling past behavior (I don't routinely turn off my PC, and I also use the phone more than the browser).

.

I also find the login times out of course, but have never timed it.

.

FWIW, I agree that it would be nice if the re-authentication was less frequent, and if there was a setting to change (or eliminate) the timeout.

AikaneKai
Apprentice
Apprentice

>The 2FA request is also initiated at the next login attempt if the pc has been previously powered off or shutdown unless you’re using hibernate mode instead.

That is absolutely not correct, and never has been. I need to re-login, but I only get the re-authorization every two weeks in spite of the fact that I completely shut down every single night.

AikaneKai
Apprentice
Apprentice

>Though it is possible that Arlo has made some changes with this,

This isn't a change. It's how it's operated since they implemented 2FA

StephenB
Guru Guru
Guru

@AikaneKai wrote:

>Though it is possible that Arlo has made some changes with this,

This isn't a change. It's how it's operated since they implemented 2FA


It is absolutely the case that the 2 week trust window frequently doesn't last that long. Plenty of posts from other users who also found that to be the case.

.

No idea why your experience has been different from my own, but it definitely is. No need to gaslight me.

AikaneKai
Apprentice
Apprentice

>It is absolutely the case that the 2 week trust window frequently doesn't last that long.

And I never claimed otherwise, did I?

>No need to gaslight me.

So now you accuse me of lying? Really? I'm done with you. Go 'help' someone else.

Maybe you don't know the difference between logging in and authenticating.

Example: last night, I shut down my computer. This morning, I booted it fresh. When I went to the Arlo site, I had to log in, but I did not have to re-authenticate via the phone app or a 6-digit code. When I was attempting to help another user with their login issues on Safari, I logged into my arlo site on Safari for the first time. For that, I did have to authenticate because I've never logged in under Safari before.

@StephenB

StephenB
Guru Guru
Guru

@AikaneKai wrote:

>It is absolutely the case that the 2 week trust window frequently doesn't last that long.

And I never claimed otherwise, did I?


When I said it lasted at most two weeks, you contradicted me.


@AikaneKai wrote:

>No need to gaslight me.

So now you accuse me of lying? Really? I'm done with you. Go 'help' someone else.


I did not accuse you of lying. Gaslighting means denial of another person's experience - which is not at all the same as lying.

AikaneKai
Apprentice
Apprentice

No, I keep telling you that I don't have to re-authenticate after rebooting.

StephenB
Guru Guru
Guru

@AikaneKai wrote:

No, I keep telling you that I don't have to re-authenticate after rebooting.


And I do believe you.

And I keep telling you that I have often had to re-authenticate before the 2-week window is up, and that includes after rebooting. I do know the difference between logging in and re-authenticating.

I use Windows, and not a Mac - not sure if that has anything to do with it.