Why s this still happening?  This is such a stupid waste of time.

Can one of you mods please re-express to the design team or whomever is responsible for this STUPID process that it makes no sense.

I am sitting here, on my computer, so as a safety feature I get a text on my computer telling me to use the code, from my computer to my computer.  Seriously stupid.

Can you please get an answer as to why this is still in place and when they're going to get rid of it? 

We never hear anything from the people making these stupid decisions.

Just to help out with understanding the arlo 2FA dance.

All arlo mobile and web apps are automatically logged out every 2 weeks regardless of background operating conditions. i.e. you cannot extend the expiration date of the session just by opening and closing the app.

For mobile apps with run in background enabled, to extend the session you need to force the app to logout manually using the settings/privacy centre/account/active sessions menu then logout all sessions. Then go to each device and reopen the app to login again.

Then set a reminder on your mobile to repeat this process every two weeks. This is especially important to maintain push notifications and have geofencing reliably.

For web browser it is slightly different, the sessions only last two weeks if you keep the pc powered(unless you hibernate), you don’t update OS or browsers. Once you change something on the pc the session is expired and a 2FA dance is required again.

The purpose for the 2FA is more to protect the arlo servers from attacks rather than protect your privacy at a guess.

But considering the privacy issues experienced by other brands it is good to know a hacker will have just as much difficulty getting into your account as you will.

---

@Dannybear wrote:

 

The purpose for the 2FA is more to protect the arlo servers from attacks rather than protect your privacy at a guess.

 

---

I think mandating 2FA was in response to a wave of news reports like this one:

• https://www.cnn.com/2019/12/12/tech/ring-security-camera-hacker-harassed-girl-trnd

@Dannybear

Your information is incorrect.

>All arlo mobile and web apps are automatically logged out every 2 weeks.

Logged out, not unauthenticated. My browser has to re-authenticate every two weeks. It has to log back in every 30 minutes. On my phone, all I have to do is log back in, and since it stores my username and password, all I have to do is click one button. This is stupid.

>the sessions only last two weeks if you keep the pc powered

Not true. I have to re authenticate every two weeks regardless. I have to re-login every half-hour (unbelievably stupid), or if I refresh the page, meaning no local cookie is set like it used to be when I bought this pathetic system.

Now they've screwed with this forum and I can't format properly. Please learn to code!

---

@AikaneKai wrote:

>the sessions only last two weeks if you keep the pc powered

Not true. I have to re authenticate every two weeks regardless.

---

@Dannybear was saying that the re-authentication is needed whenever you restart the PC, even if it hasn't been two weeks. In other words, the sessions are at most two weeks. Which is correct.

---

@AikaneKai wrote:

I can't format properly.

---

If you mean the problem with rendering blank lines, then I agree that is frustrating. I reported it to @JamesC, hopefully it will be fixed soon.

>Dannybear was saying that the re-authentication is needed whenever you restart the PC, even if it hasn't been two weeks. In other words, the sessions are at most two weeks. Which is correct.

No, that's not correct. I shut my computer off every single night, no exceptions. I have to re-authenticate every two weeks. I have to re-login every 1/2 hour.

On my phone, I have to re-login every 2 weeks, not re-authenticate, ever.

When using the web browser to login to the my.arlo.com login page the website java code checks the 2FA session cookie that is stored in the browser site storage to see if it has expired.

If the cookie has expired then the browser will request a 2FA authorisation before it will proceed with the login. After the login successfully succeeds it sets a new expiry cookie date for 2 weeks time.

The 2FA request is also initiated at the next login attempt if the pc has been previously powered off or shutdown unless you’re using hibernate mode instead.

When using the mobile app the same expiry feature applies but if you’re mobile has been set as the primary 2FA device for requests then this not actioned as a request and so will just relogin the mobile device transparently.

If you don’t open the mobile app, then after 2weeks the app running in the background logs out and so geofencing and notifications stop working until you open the app and log back in.

I have since seen recent advice that for mobile devices the expiry period has now been increased to 6 months.

---

@AikaneKai wrote:

No, that's not correct. I shut my computer off every single night, no exceptions. I have to re-authenticate every two weeks.

---

Interesting, as I often have needed to reauthenticate after a reboot. So my experience is different from yours (and in line with what @DannyBearAgain says). Though it is possible that Arlo has made some changes with this, and I might be recalling past behavior (I don't routinely turn off my PC, and I also use the phone more than the browser).

.

I also find the login times out of course, but have never timed it.

.

FWIW, I agree that it would be nice if the re-authentication was less frequent, and if there was a setting to change (or eliminate) the timeout.

>The 2FA request is also initiated at the next login attempt if the pc has been previously powered off or shutdown unless you’re using hibernate mode instead.

That is absolutely not correct, and never has been. I need to re-login, but I only get the re-authorization every two weeks in spite of the fact that I completely shut down every single night.

>Though it is possible that Arlo has made some changes with this,

This isn't a change. It's how it's operated since they implemented 2FA

---

@AikaneKai wrote:

>Though it is possible that Arlo has made some changes with this,

This isn't a change. It's how it's operated since they implemented 2FA

---

It is absolutely the case that the 2 week trust window frequently doesn't last that long. Plenty of posts from other users who also found that to be the case.

.

No idea why your experience has been different from my own, but it definitely is. No need to gaslight me.

>It is absolutely the case that the 2 week trust window frequently doesn't last that long.

And I never claimed otherwise, did I?

>No need to gaslight me.

So now you accuse me of lying? Really? I'm done with you. Go 'help' someone else.

Maybe you don't know the difference between logging in and authenticating.

Example: last night, I shut down my computer. This morning, I booted it fresh. When I went to the Arlo site, I had to log in, but I did not have to re-authenticate via the phone app or a 6-digit code. When I was attempting to help another user with their login issues on Safari, I logged into my arlo site on Safari for the first time. For that, I did have to authenticate because I've never logged in under Safari before.

@StephenB

---

@AikaneKai wrote:

>It is absolutely the case that the 2 week trust window frequently doesn't last that long.

And I never claimed otherwise, did I?

---

When I said it lasted at most two weeks, you contradicted me.

---

@AikaneKai wrote:

>No need to gaslight me.

So now you accuse me of lying? Really? I'm done with you. Go 'help' someone else.

---

I did not accuse you of lying. Gaslighting means denial of another person's experience - which is not at all the same as lying.

No, I keep telling you that I don't have to re-authenticate after rebooting.

---

@AikaneKai wrote:

No, I keep telling you that I don't have to re-authenticate after rebooting.

---

And I do believe you.

And I keep telling you that I have often had to re-authenticate before the 2-week window is up, and that includes after rebooting. I do know the difference between logging in and re-authenticating.

I use Windows, and not a Mac - not sure if that has anything to do with it.