Arlo|Smart Home Security|Wireless HD Security Cameras

Mandatory Two-Step Authentication (Verification) a Bad Idea

Reply
Chris67
Luminary
Luminary

A reply to a topic you are following has been accepted as a solution!

Topic:

Mandatory Two-Step Authentication (Verification) a Bad Idea

Author:

ChrisKay (Follower)

Date:

2020-03-07 10:51 PM

 

I do not accept this as a solution. IT IS THE WHOLE PROBLEM

If you wish to shut down a topic for discussion please do not use trumped up solutions.

1 ACCEPTED SOLUTION

Accepted Solutions
ShayneS
Arlo Moderator
Arlo Moderator

As part of our ongoing initiative to bring peace of mind through implementing the latest in best security practices, we will be resuming mandatory Two-Step Verification requirements for all Arlo users starting July 6th, 2021.

 

Many Arlo users expressed concerns with the original implementation of Two-Step Verification due to its lack of trusted browser support. We have been working very hard to address these concerns and are excited to announce that trusted browser support will be included before resuming these requirements. This will allow users to trust web browsers for 14 days when enabling Two-Step Verification so that authentication is not required for every login when using that web browser.  Most popular browsers such as Edge, Chrome, Safari and Firefox are supported. 

 

For more information on how to set up Two-Step Verification and trusted browser, please visit the following article: What is two-step verification and how do I set it up? 

 

Thank you,

Arlo Team

View solution in original post

462 REPLIES 462
TomMac
Guru Guru
Guru

Agree, it should be an option for the user !

 

Last time I tried it , PCs were not trusted devices and to use an SMS every time to log in is crazy ( most of time I log in via pc )

--------------------------------------
Morse is faster than texting!
--------------------------------------
Say_no_to_2FA
Star
Star

Seeing that Arlo cannot get themselves together to implement something as simple as the concept of a trusted device, and are insisting on forcing 2FA to us all at the behest of their Governance, Risk and Compliance team. Perhaps a workaround is to create separate user accounts for each device you use. That way they will remain logged in and always be trusted? At the worst it may be less inconvenient for those using multiple devices.

TomMac
Guru Guru
Guru

The accounts do not stay logged in... after a time they auto close out.

--------------------------------------
Morse is faster than texting!
--------------------------------------
Say_no_to_2FA
Star
Star

True, but the time-out and therefore the inconvenience is less frequent if you switch between multiple devices to monitor your security. It will keep me going until I junk the Arlo rubbish and find an alternative

robsss
Star
Star

The fact that I am auto logged out of the web page and can't get back in as a trusted browser/computer is a fatal error.

 

I will be selling my Arlos and will not recommend them.

 

It is a shame since I have been using them for years without any issues.

robsss
Star
Star

The fact that I am auto logged out of the web page and can't get back in as a trusted browser/computer is a fatal error.

 

I will be selling my Arlos and will not recommend them.

 

It is a shame since I have been using them for years without any issues.

Webfeet
Guide
Guide

Admittedly I turned off 2FA months ago in sheer frustration and so I don't know if Arlo has improved the experience. Now I am afraid that if I turn it on I might not be allowed to turn it back off.  I support and use 2FA on all my other applications but Arlo's implementation is unusable. 

 

Here is my experience months ago as I remember it.   The email verification code method allowed 1 minute to enter. My email client checks email every 2 minutes.  See a  problem there?  It would take up to 3 tries and 5 minutes to log in.  Using my cell phone to verify can be inconvenient at times but my other problem was I was allowed 30 seconds to respond.  It took 10 seconds before it appeared on my phone (sometimes longer because reception was bad in my basement) and for some reason if I responded in the last 10 seconds it didn't register in time. I was left with trying to time my response for that exact 10 second window.  Again, I had success only after multiple tries.  I gave up and turned of 2FA.  I'll turn it back on if someone tells me the experience has vastly improved.

Retired_Member
Not applicable

Had I know I was going to be held hostage to Arlo, I would never have spent over $600 for this system. There is absolutely no reason for me to do the two-step. It's a waste of time and frustrating. I will not turn the two-step on again - ever. If forced to do so, I will tear the system down and start with another company. Wonder if ring makes you do the two-step? 

dcfox1
Master
Master

@Retired_Member Yes Ring has had it for over a year as many other Camera Brands. 

Retired_Member
Not applicable

Thanks dcfox1. Guess I won't use them either. Maybe I'll look into a hardwired in house system that doesn't require "outside interference".

rpalmer
Guide
Guide

I only activated 2FA because Arlo messages said that I had to or my videos would be lost. When I started having trouble, I talked to Arlo support, and they confirmed that was the case. I'll be really interested to know if everything still works when 2FA is shut off.  I'm just monitoring activity in my driveway and the the cul-de-sac that I live on.

The  Ultra-2, The Arlo app, and Arlo, the company,  have been a real disappointment.  I paid a 5-star price for a 2-star product ... Shame on me. 

dcfox1
Master
Master

@Retired_Member wrote:

Thanks dcfox1. Guess I won't use them either. Maybe I'll look into a hardwired in house system that doesn't require "outside interference".


If even with that type of system if you can view through the internet they still may be.

pc2k17
Hero
Hero

@Retired_Member 

You want a Power Over Ethernet system (POE). Ethernet wired thru house, cameras where you want, something to save the recordings on, and your good to go. Lite years ahead of a cloud based camera system and accessible from internet if you set it up that way.

 

Up front cost can be steep, depends on quality cameras you buy, storage device, and how much to wire your house. But they work all the time, every time. My arlos, I have to pull the batteries frequently and reboot the base everyday to keep it running correctly. POE just works. Good luck

marvin_martian
Guide
Guide

I'm disappointed that in the year since users have been complaining about this hassle that nothing has been done to make it a more user friendly experience.  Making a web browser a "known device" not "trusted device" would solve the problem and is not hard to do.

rpalmer
Guide
Guide

Either POE or a standard non-battery WiFi camera would meet my needs since the camera mounts to the eave over my garage doors and it is extremely easy to run cables through the eave to power and/or ethernet. My Arlo Ultra2 is attached full-time to a charging cable. I thought that was cool since the camera would remain powered during a power outage, but the battery does not work in cold weather and the camera goes dead. What should have been a small plus became a big minus.

 

Due to the angle of our house, we only have one window with a view of our driveway and cul-de-sac. The idea was to set up alerts and capture clips so we could check to see when the mail was delivered, garbage was picked up, etc. Arlo Ultra 2 is about 80% reliable most days, but some days, it just stops until I reboot the hub which is in the garage a few feet from the wifi-router and ethernet switch and  less than 30 feet from the camera. At 2K  events can generate notifications and/or email alerts. At 4k, email alerts break, and reliability drops from 80% to about 60%. 

 

I also have a small laptop and thought I'd set it up with a live stream so we could have a live-stream play whenever we expect guests, and/or deliveries. In theory, we would hear an Arlo alert, and be able to just glance at the laptop screen. Since Arlo live streams time out, that did not work. It also demonstrated how long the delay is for Arlo alerts.  At 4K, we've seen some notifications delivered hours after the video was captured. 

 

I don't mind having multiple cameras for multiple purposes. At this point, I'm still trying to figure out if my Arlo product is good at anything related to my wants and needs. I'm also reviewing other products. 

 

Retired_Member
Not applicable

Thanks so much for the reply and for the info. You have pointed me in the direction I need to go.

dcfox1
Master
Master

You do realize the competitors have @2FA. I had Ring that worked the same way over a year ago. Not saying I like it and would like it as option but even ring  did not have an option to choose right away. 

arseasttle
Apprentice
Apprentice

I can't believe that Arlo didn't really think this through, saw what the community had to say, and then just said "it's solved."

When I travel, or I'm just out and about, I don't always have my cell phone in my hand, and I don't always have instant access to my email . . . so much is network and wifi dependent. So, my camera sends me an alert and I hit the app to see what's going on but THEN I have to wait to get a code, enter the code, and THEN get to see that someone's already gone? 

The whole point to security cameras, in fact the most important thing about security cameras, is FAST access. If I select to receive my code by email, it means I have to have access to that email at every second of the day AND that now involves signing in to the email, waiting for the email server to deliver the message from Arlo, and then entering the code . . .that can take an incredible amount of time, when you think of the various servers involved.  OR I can choose my cell phone but that means it has to be on and with me 24/7, with access to internet or cell phone signal -- not always a 24/7 given in some cities.

 

PLEASE, please, please . . I like the Arlo system and don't want to, and can't really afford to, change companies now. But you've disabled the single most important feature of ANY security system; FAST ACCESS. 

Please reconsider making this mandatory . . make it an opt-in system. Or at least an opt-out-you-know-the-risks system.


Andrew

arseasttle
Apprentice
Apprentice

Because of the recent requirement of two-step verification, especially since it can't be on more than one platform, i.e., you have to choose phone OR email OR push, which means, whichever one you choose you have to have THAT access at all times, I've updated my review of the Arlo system on Amazon. I think it's important to notify potential buyers that Arlo has serious crippled the most important part of any security system, the time you have to respond to an alert. Every second you have to waste verifying and re-logging in, is another second wasted in your response.  Here's my updated review.

I'm rating a 4-5 star piece of hardware only 2 stars because, regardless of how good the hardware, the software and company behind the equipment is equally, or perhaps more, important.

 

I've had the Arlo Pro 2 system for a few years now, and really like the way it worked. Sometime last year, the Arlo Company decided to stop sending images along with the email alerts, which rendered an integral part of the system useless. If you had to sign in every time there was an alert, load the library to see which video it was, you basically were too late to do anything if there was actually a security issue. After numerous complaints, the company changed the policy which, to be honest, really restored my faith. They'd made a bad decision and, based on their customers, changed their minds . . . a company that listens is great.

 

Cut to this week: Arlo has decided to require two-step verification. No opt-out possible. The problem is that, once again, it takes away the most important feature of ANY security system, how quickly you're alerted and can respond, and renders it inadequate. If the camera senses something, and I tap on that image but, before the app launches or the account loads on the computer, I have to receive a code and enter it. That means, if I choose my phone for this code, I have to ALWAYS have it with me; you can't have the phone AND the email selected at the same time. If I choose email, I have to have access to the account, remembering that email servers sometimes don't instantly refresh, and wait for the code, then enter it, and THEN I can see what's happened on my front porch. HAPPENED, not HAPPENING . . .it's already too late to remotely set off the alarm or talk through the system . . . too late.

 

There are hundreds of comments on the Arlo Community Boards about why this required system doesn't really makes sense with a product that relies heavily on INSTANT notification and response . . . Arlo's response is basically "too bad."

Here's the point of this review: while the hardware works well, the company itself seems to keep coming up with changes that affect the usefulness of the hardware. Think about this as you look for alternative systems.

arseasttle
Apprentice
Apprentice

I want to add one other thing . . .

 

Obviously, the comments on this new "required" feature are all on the "please let us opt-out" side of things. Because, as I said in my original post, this really negates the primary feature of any security system, fast access and response, I think it's poorly thought out.  HOWEVER, if Arlo absolutely MUST keep this feature, I have two other suggestions/requests for you to consider.

First, make it possible to select ALL methods of contact at the same time. If Test, Email, AND Push are all selected, there's a greater chance of receiving the message quickly. This is especially true because you're only giving us a limited time to enter the code. (BTW - It took me longer to receive the email than time allowed for me to enter the code; that made THAT alert choice useless.)

Second, and this seems so much easier and more logical, why not let us use a Pin system? You send me an alert and want me to, basically, prove that it's me . . . let me pick a security pin and enter it. That way, I'm not dependent on your servers being fast enough to send something, or my connection or email delay. I select a security pin and, if there's an alert, I simply enter my pin. Wouldn't that achieve the same thing as a code but remove all potential delays?

 

I still think it's a poorly conceived system but a personal pin would, at least, take some of the pressure off.

dcfox1
Master
Master

That is automatic. But good luck. 

Retired_Member
Not applicable

I got 17 posts today. Count me as one that wants his money back.

dcfox1
Master
Master

Its 5 o'clock some where. . 

BarbaraFox
Initiate
Initiate

The way our company is set up the two step verification code is a problem.  My phone is with me when other people need to check the cameras.  They also do not have access to the company email.  I'm not sure how to allow other people to check the cameras now.