Re: Mandatory Two-Step Authentication (Verification) a Bad Idea
Chris, there is something else you should know that you actually might already know from your own experience. At my bank, if I don't log into my account very often, they don't use a 2 step the way Arlo does so that you have to wait for a notification (via email or text) but rather they already have a record of, "Security Questions" that you establish when you open the account with them, thus eliminating the hurry to get a code from your email or a text because YOU chose your own security questions ie. "What is your favorite teacher's name from grade school" or similar questions that only YOU would know. That eliminates the frustration of waiting for the email or the text and your memory has that information from your life's experience and you will probably die with it. That is just as secure as their MANDATORY 2 step method but without the frustration and major inconvenience that exists now with the current 2 step process.
In addition to making browsers a "known device", How about the ability to copy and paste the 2fa code from email? That would make it a little easier to use that route.
You are absolutely right, but the 2FA isn't even necessary if you have security questions that have been set up in your account at the time you created your account and changeable if you feel the need to do so.
From the discussion in this forum so far, it seems that most people (including myself) need instant access to their cameras for common and fundamental security purposes. 2FA does not give instant access whether this be by push or email. Security questions do not give instant access as you have to receive the question and then enter the answer which all takes time.
Permitting us to nominate trusted devices/browsers which would include PC’s/Laptops/iPads without cellular would be acceptable.
But by far the easiest solution for Arlo and the least hassle for users would be to allow users to forego 2FA by electing to “Opt Out” and agreeing to a disclaimer that it is “at your own risk”. I suspect (hope) Arlo are going this route once all customers have been moved over to 2FA as I notice that in Settings/Profile/2-Step Verification for a brief second the button to switch on/off 2FA is still present albeit greyed out. There is paranoia around litigation for companies operating in today’s world and Arlo is no exception although I can’t imagine that security cameras are high risk..
This is ridiculous.
The browser based viewer was bad enough with it's session timeout, now I have to get a code every time I open it?
This must be fixed ASAP.
Arlo, you really screwed this up. Every time you log me out of the system for time, I have to get another code. Why must we have this two-step verification? Can't we set up our trusted devices so we don't have to do this every time? And oh yes, picking "features" as the label makes total sense, as this system is NOT a good feature. This is annoying enough that I may just invest in a different camera system and throw your stuff where it belongs, in the garbage.
For your phone it is a trusted device so no need for 2FA once set up as a trusted device. On computers yes but if you select push notifications instead of SMS or E-mail no code is needed.
I totally agree that having security questions do not give instant access to our cameras as we all want. However, it would be an alternative that would at least be faster than the current (non copy/paste) code that has to be sent each and every time the user needs access to their cameras. The bottom line to this discussion is that it is simply a very bad idea to increase the users time consumption and patience that the current system that 2FA presents. Also using the disclaimer that the user accepts all risks from opting out of using 2FA is the best solution. In the meantime Arlo is going to lose current and future prospective customers unless they stop their current MANDATORY method of accessing security cameras by the users.
Because the reason I bought this system mostly is because I only own a flip phone and it costs me every time I use it, but in the long run I only pay about $100 a year to have it, and I use my PC to access the system. I have no need or desire to own an Iphone, or Android or compatible phone that has internet access. My flip phone is only for emergencies. The 2FA is much too much of an overkill for Arlo to be using. The only reason they are using it is to protect their asses from a lawsuit, and that can easily be avoided with the use of the disclaimer as I have stated before.
That's what I finally did. But it can only be used on one phone at a time to access arlo by laptop. I set ours up for push on my wife's phone so she can access by laptop and I'll just use my phone or tablet as it doesn't require this nonsense. There is some sort of a "trusted phone app" that I've been researching, but don't know if it will work or not with edge.
When I researched security cameras last year I came to the realization very quickly that all of them except, "Blink" and Arlo required the use of cell phones to access them. I only use my PC to access them as I said before and THAT was the most important consideration for me. Regardless what is available now, I don't need to research that UNLESS Arlo refuses to allow the use of a disclaimer to disable this 2FA system. I am shopping now slowly online for a different system however since I also had many issues with my Arlo system. They had a bug in their code which caused the, "Pan & Zoom" functions to not work for months and I had to convince them that the problem was NOT on my end. Obviously they finally corrected their code error now, but this 2FA will end my Arlo experience if it's not reversed for sure.
There is a long running, and not very useful, discussion of this issue over in the "Idea Exchange" area. That is the wrong place to talk about how you can deal with 2FA on a PC. So let's try here.
2FA on a PC is a pain. But it does not have to be as earth shattering as people seem to think.
In my case, if I don't want to use a mobile phone, I get the Arlo login process to send me an email message.
There then pops up the prompt to fill in a six digit number and a two-minute countdown starts.
Usually within 15 seconds I get an email message.
The next bit is where it gets interesting.
I use Microsoft Outlook.
I have created a Rule that triggers when I receive a message from Arlo sent to the email address I use to login to Arlo. The other bit of the trigger is the subject of the message Your one-time authentication code from Arlo
When that rule triggers, Outlook will then:
- Play a sound file (so that I can tell the message has arrived)
- Display a message in the New Item Alert window
- Moves the message to a particular folder (so that to doesn't clutter up the inbox)
- The display a Desktop Alert (so that there s something to click and open the message)
All that happens in a few seconds. I can usually read the required number and enter it into the Arlo page with 90 seconds or more left before the timeout.
(As someone else suggested, in one of the more sane contributions to the "Idea Exchange" row, it would be nice if we could copy and paste the six digit code.)
I also have the "Your Phone" app running on my PC so that when my mobile phone gets the Arlo email it provides even more layers of alerts and messages.
This process is probably too complicated for some people. But when you get used to it it is pretty painless.
There are certainly more steps in there than essential. Perhaps someone else has come up with a different strategy that works for them
I'd still like Arlo to remove the need for this process, or find an easier alternative, but I am not going to throw a hissy fit and threaten to unleash World War Three.
Just another user
Arlo hardware: Q Plus, Pro 2 (X2), Pro 3 (X3), Pro 3 Floodlight, Security Light (X2), Ultra (X2), Doorbell, Chime
Mandatory two-step verification is crippling us in the important way we utilize and access our cameras. This forced security measure (which is absolutely not necessary for our purposes) comes at a crucial time when we are monitoring pregnant animals nearing labor (birthing). It is most important for us to have quick unhindered remote camera access, across several users. Like we did before the forced two-step verification. The current two-step options do not allow for that unhindered access by non-technical users, across a range of devices. Please remove this mandatory two-step verification and give users a choice to select the level of security they deem appropriate for their needs. I had plans to add several more arlo cameras to our site. That plan has changed. If an option to turn off two-step verification does not become available I will be removing all Arlo gear from our site and replacing it with non-arlo gear that allows us, the customer, to choose the level of security best suited to our needs.
The fact that I am auto logged out of the web page and have to go through verification every 20 minutes is ridiculous.
I'm disappointed that in the year since users have been complaining about this hassle that nothing has been done to fix the problem.
There are hundreds of comments on the Arlo Community Boards about the problems with this.
Since the 2FA does not allow making computers trusted devices, kindly make the 2FA optional again. I’m happy to acknowledge and accept any risks.
This has been a problem for a year and to mandate using the 2FA while the issue still exists is just crazy.
This is NOT working for your customers.
Please address this problem- without a canned, scripted response please. What is Arlo doing about this?
Your system required me to activate two step verification about a two weeks ago and my frustration is growing with each required code to login. I have a MS in computer science and do network security for a living so I understand the need to protect your logins. I cannot, however, understand why your system cannot verify my computer with the first code as the IRS, Social Security, USPS, US State Department, Banks, Brokerage Accounts, Local Government, and Utilities allow. All that's required is a cookie. If I was to attempt to login from an additional computer then make me verify that machine as well -- all that makes sense. What doesn't make sense is that now forced to (1) login to my.arlo.com, (2) have your system send email me a 6 digit code, (3) wait until that email is delivered, and (4) enter the code all before the person who is ringing the doorbell gives up and leaves -- this sort of defeats the purpose of having a doorbell camera!!! Why spend the $300 on your doorbell camera when I could go back to prior years and just not answer the door.
I've requested help via phone and chat and the only solution that has been offered is to post on this venue.
Please do what all others have done and only require a two step verification on logins from new devices.
I could not agree with you more my friend, and I am in the market now for a new system from another company. Arlo gave me too many problems, but this one is unacceptable.
I wouldn't hold my breath my friend about them reversing their decision to use 2FA because the bottom line is always what wins out in the end. They are afraid of liability of hackers. But they just can't get it through their thick heads that their bottom line is going to be affected a LOT more through loss of current customers and those who are prospective customers that are looking for a security system. I wonder too if they even consider these comments because it appears that they do not.
Arlo Mobile App
Arlo Pro 2
Arlo Pro 3
Arlo Web and Mobile Apps
Before You Buy
Firmware Release Notes
IFTTT (If This Then That)
Installation & Upgrade
Online and Mobile Apps
Service and Storage
Software & Apps