Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.

Reply
Chris67
Luminary
Luminary

A reply to a topic you are following has been accepted as a solution!

Topic:

Mandatory Two-Step Authentication (Verification) a Bad Idea

Author:

ChrisKay (Follower)

Date:

2020-03-07 10:51 PM

 

I do not accept this as a solution. IT IS THE WHOLE PROBLEM

If you wish to shut down a topic for discussion please do not use trumped up solutions.

462 REPLIES 462
arseasttle
Apprentice
Apprentice

Like virtually EVERYONE else on the boards these days, I've posted a number of times about the problems with requiring mandatory two-step verification. To read that you're working on a solution to fix a browser issue completely misses the points that many of us are raising. Two-step verification needs to be voluntary.

 

That said, if you insist on requiring this time-delaying feature, you need to look at how it functions and what you can do so that it doesn't delay the ability to access our cameras/alerts in a timely manner. As I and others have posted, only allowing one method of notification/verification makes it impossible to respond in every situation. If I choose phone or push, I have to have the phone with me 24/7, which I don't. Email notifications depend on the speed of sending/receiving servers and can get caught up in the mail refresh of the device. (And when I'm traveling, especially driving across country, my phone doesn't always have email network access but can get alerts.) You allow two minutes to enter the code; in those two minutes, whatever triggered the alert is either long gone or already inside my house; I didn't have the opportunity to say something over the speaker, to trigger the alarm, to even see if it was just another cat. That delay has completely negated the primary reason I purchased the Arlo system. But if you refuse? And if you don't care about the loss of customers and the horrible warnings/reviews all over the web -- which I believe will open the door for another company and, in the end, finish Arlo -- then AT LEAST consider some of the following:

 

First, allow ALL methods of notification at the same time. That increases the odds of actually receiving the alert in time to have it mean something;

Second, let us set our own pin. We get an alert, we enter our own pin, and we don't have to wait for a notification AND you don't have to fix any code. It's good enough for my bank and credit cards . . . it should be good enough for Arlo;

Third, at least allow me to cut/paste the alert so I don't have to find my glasses to read it AND, in my case, switch back and forth between the alert and the form;

Fourth, and most important, allow us to opt-out out. If it's a liability issue, make us check a box or sign a form . . . the security on OUR security should be our choice.

 

 

 

 

joe1821
Apprentice
Apprentice

Arseasttle, you have a great idea and I will continue to support our disdain for 2FA until I hear that ARLO has decided to discontinue it PERMANENTLY.  Your idea of a pin is fine because you can remember your own pin, but to receive a code, THAT ARLO GENERATES and having to remember that code without it being able to be copy/pasted is absolutely absurd.  Continue fighting this issue!

hennesbe
Star
Star

Two step is not a new idea unique to Arlo.  It's for their safety and ours.

My bank just upgraded their on line system and also added the two step verification.

The world is full of hackers attempting to get everyones info.

Companies are trying to stay ahead of them.

pc2k17
Hero
Hero

You must be a LEO, or government worker, because that's exactly what they say... for your safety and ours. I've made it thru the computing world for more years than you've been alive..... I'll take care of my own safety, thank you.

 

All banks have had this for years. If your bank just got it, you're way behind, I'd switch if I were you. The difference is the banks implemented it correctly, Arlo didn't.

 

A proper password will defeat most any hackers. My arlo password is 40 random characters long, my wifi password is 60 randon characters long. It would take 100,000 years to brute force attack a password like that. If you can't type fast you can use something like keepass to populate a long hard password.

hennesbe
Star
Star

Sorry Jack, I was writing COBOL and PL1 programs before you were born.

d0lphin
Apprentice
Apprentice

Arlo, you sound just like the government trying to force us to take the CCV vaccine against our will.  I've seen the arguments about banks and others using the two step and I probably do have that with my bank. However, my laptop is set up that I do NOT have to enter anything, but rather click on my SAVED password. No notification is sent. I just log on. Same with all my devices. They are all trusted devices. Are you going to do that? My memory doesn't allow me to remember the over 50 passwords I have for all the sites I visit. I have all of them written down so if somehow the saved password fails I can look it up on my written pad. However, that rarely occurs. And as for the speed, you only allow 30 seconds to respond to a push. That took me two or three retries just  to see what set of the camera. And not only that, I have gone outside, set off the camera while walking to the mailbox, came back in, and then couple minutes later get the notification camera was set off. I'm long gone from camera view before I was even notified. How about fixing the speed problem? If Arlo customers really wanted such a secure system, we would certainly not use Arlo. We would hire a company to come install equipment and have it monitored 24/7. I did not sign up for this. Mandatory two step was never mentioned on the box or anywhere in instructions when I bought this system.

Webfeet
Guide
Guide

pc2k17 

Try repressing the urge to be rude.

Webfeet
Guide
Guide

I want to reiterate that allowing only 30 seconds to respond to a push or text is too short. The last time I checked with a push notification I had my phone next to my computer. By the time I picked it up, woke it, entered my screen pin, pulled down the notification screen and selected the confirmation I had only 9 seconds left.  If the phone had been in my pocket or even 2 steps away I would have failed.

rpalmer
Guide
Guide

I agree,  but there are right ways to implement two-step authentication, and  wrong ways to implement two-step authentication. Arlo's two-step authentication is an example of a wrong-way. My bank's implementation is an example of a right-way. 

CrewelLye
Initiate
Initiate

No to mandatory 2 step login!!!! It is bad enough that we do not have an option to opt out of cloud recording and go direct to a  local storage device. some hidden agenda from arlo to keep our camera images and access on their cloud...big brother is here.

pc2k17
Hero
Hero

COBOL was created in 1959. I was born in the 60's, so maybe you were writing it before I was born, but not by much, if at all.

 

My points are still valid. Excuses made for Arlo's mess help no one. Have a nice day.

pc2k17
Hero
Hero
webfeet
Rude??? What in my post was rude? I told him I can take care of myself. Explained how banks already had 2FA, and how to create a proper password. I even said thank you. Remember, just because you disagree what what a message says, doesn't mean it's meant in any rude or harmful way. A different opinion is not evil, it's just a different opinion. Have a nice day.
d0lphin
Apprentice
Apprentice

Yeah, I was trying to figure out what was rude about your comment. Speaking the truth is never rude.

joe1821
Apprentice
Apprentice

Yes 2FA can work my friend, but my bank uses it and it has PREVIOUSLY saved security questions that you put in yourself and you can use your youngest sister's middle name or your favorite teacher's name in grade school (examples) or other things that NO ONE but you knows and you'll have them in your brain until you die, so there is NO need at all for them to force you to get an email with a code THEY chose at random that is also just long enough to be difficult to remember, and CANNOT BE COPY/PASTED either.  It is also more important that IT SHOULD BE OPTIONAL for each user so that the user of the system can decide, at his own risk whether he wants that much security.  A disclaimer statement would resolve any concerns ARLO has about breaching your system.

dcfox1
Master
Master

Once they make a PC a trusted device as Arlo posted yesterday you won't need a code after you make it a trusted device. So you can keep 2FA off until they said that would be implemented. 

arseasttle
Apprentice
Apprentice

<<Once they make a PC a trusted device as Arlo posted yesterday you won't need a code after you make it a trusted device. So you can keep 2FA off until they said that would be implemented. >>

 

That's if you happen to be at YOUR computer when there's an alert. Funny thing is that I'm not as concerned about alerts when I'm sitting at home. But if I'm traveling, or staying someplace else for little while, I don't have that home computer with me AND I don't happen to have my phone in my hand at every second. The phone alert comes, I have to "follow the bing" to get to my phone, wake my phone, go to the alert, see the code, REMEMBER THE CODE -- 'cause, ya know, heaven forbid you be allowed to copy/paste it -- enter the code, and THEN I get to see what, the person running away from my house with my stuff? (Or another raccoon?)  And increasing the time you have to enter the code wouldn't help 'cause it's the whole delay thing that's the problem. 

When you compare it to a bank requiring a code, you're missing the point about urgency. , When you need to enter a code or pin with a bank site, you're usually not responding to the bank alerting you that someone's standing at your safe deposit box trying to get in . . . there isn't the same kind of time pressure concerns with . . well, with anything but security.

As I've stated before, there's no real reason there can't be an opt-out but, even more, there's no reason you can't have us set our own pin numbers. The system Arlo's trying to "perfect" is dependent on so many factors, some of which, like mail server timeouts and internet/cell signal, that it's being set up to fail. If each person sets a pin, NONE of that is a factor. Right?

dcfox1
Master
Master

@arseasttle Your missing the point you "Will Not" need a code after you make it a trusted device once. Same as your phone is now. It is not active yet. As I said they posted it is not yet but is coming so mean time you can turn "2FA OFF" on the web page. Started yesterday. If you missed the post by a Mod here yesterday, Go back a page or two. 

Ron123
Aspirant
Aspirant

Suddenly, Arlo requires two-step verification (which is a pain in the butt). And just as suddenly the base station fell offline and won't come back up even after rebooting several times. Cameras frequently fall offline, usually right when you needed them. A totally worthless unreliable security camera not even rising to the level of a toy.

 

No support whatsoever. No recourse. So sorry I wasted the money on this junk.

joe1821
Apprentice
Apprentice

I understand what you are saying about, "urgency" however I have no need for that aspect of this at all since I don't carry an Iphone or compatible.  You're right about your points, but as I said, in my case the only thing I need is to make it a password ONLY protected security system without the 2FA system which should once again ONLY be there as an option.

BHägg
Tutor
Tutor
Please let the user decide if additional authentication is required. Once you have a good implementation people may adopt it readily but why thrash all your customers
arseasttle
Apprentice
Apprentice

I don't think I'm missing the point . . . if I wrong, maybe I missed something. (Yes, I saw the "turn off" post, and turned it off, but that appears to be a temporary thing while they figure out how to implement it ... sigh.)

 

As I read things, and set things up, you can receive the code as a message OR as a push notification OR as an email, not all three. When I set it up last week, that was the choice I was presented with . . . one OR the other.  I did see that after I got the first code on my phone and got it entered in time -- just in time 'cause of the whole cut/paste idiocy -- the next time I did not have to do that on my phone. However, without the phone there, when I got the next alert, I had to log in on the computer and get a code sent to email . . . which took a little over 2 ½ minutes 'cause MY email server had refreshed just a minute before and things aren't instant. Authorizing the computer then "kicked off" the phone verification so, when I had the phone back in hand, I had to authorize the phone, which then kicked me off the computer.

 

All three active at the same time AND all three "verified" addresses/numbers/texts getting the same code right away AND the ability to cut/paste that code AND all "verified" phones/tablets/computers/etc remaining verified all the time OR let me set a pin. In the end, though, allow me to choose the level of security on my security . . . I want as instant a response to to an alert that's electronically possible; two-step verification adds an unnecessary delay in that process.

Coresong
Tutor
Tutor

According to a recent (yesterday) Arlo customer support twitter posting, Two-Step Verification has stopped being mandated. I suppose you are getting swamped with highly annoyed customer complaints about it making your system useless to many. The problem is now, that there seems to be no means to disable the two-step verification. I DO NOT WANT OR NEED YOUR ONEROUS INTRUSION,  when I purchased your system the horribly implemented two-step verification system was NOT PART OF THE BARGAIN.  You force this burden upon your customers, mandate it without any means of avoiding it, then make a public statement it is no longer required, but you fail to provide your customers with any obvious means of disabling it. Get your act together.  

 

You can also stop the shallow PR campaign about caring for your customers, trying to safeguard us. This mandated policy has to be the brainchild of your misguided legal counsel as a means to mitigate a possible liability in either existing for projected litigation. 

 

You care nothing for your customers, only your bottom line.

 

FIND A BETTER WAY. Shoving unwanted and unneeded mandates down the throats of your users is woefully bad customer relation planning. Provide this for those who may have a need, there are many of us who want no part of it. LISTEN TO YOUR CUSTOMERS!

CurbAppeal
Star
Star

@arseasttle 

Excellent summary of the actual issue.  I do not understand why people are not getting the point that many people need to be able to their system quickly.  Their methods are slow and cumbersome and will delay that process let alone not work well/quickly for people and may not be at their own computer or have access to their phone.

 

Like many things in life, many people have trouble thinking beyond their own little world.   I understand why people bring up a bank when discussing this re: trusted devices but I work in IT for a bank and accessing your camera is not the same thing.  This is a security system for most people.

 

I see it often.  Some banks that eliminate tellers/branches are in a similar situation.  They exclude a large portion of people that don't want or CAN'T bank online.  For some it may be worth it but it's sad.   What if every bank was online only?!   Non-tech people need to outsource their finances?  Horrible.

 

It appears as if Arlo is going down that same road and is intentionally excluding customers that use the product or they have tunnel vision that they absolutely need to implement 2FA without truly understanding  their customers needs.  If you want to live in that bubble, fine, but will likely cost the company a chunk of potential/current customers.   Hopefully another company will come along that will take advantage of that weakness.

dcfox1
Master
Master

Yes but when they make PC a trusted device available you will "not" need a code once you set it up the first time. So the code will be irrelevant. Yes it was in the past.  Until then they let you to turn 2FA off. If you want to use 2FA until then yes you still need a code. On page 6 here Arlo mod @ShayneS Posted the details . 

CurbAppeal
Star
Star

Oh my....no kidding!  Are you serious with this response?