Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.

Reply
Chris67
Luminary
Luminary

A reply to a topic you are following has been accepted as a solution!

Topic:

Mandatory Two-Step Authentication (Verification) a Bad Idea

Author:

ChrisKay (Follower)

Date:

2020-03-07 10:51 PM

 

I do not accept this as a solution. IT IS THE WHOLE PROBLEM

If you wish to shut down a topic for discussion please do not use trumped up solutions.

462 REPLIES 462
AikaneKai
Apprentice
Apprentice

@dcfox1 

 

>Why some keep complaining about this is beyond me. A lot just post not reading prior posts that you can just turn it off or complain just for the sake of it. The requirement warning is even gone. 

 

Seriously?  How about because it was forced on for everyone without the option to turn it off.  Arlo didn't bother telling anyone (except up here, where probably <5% of owners come), that it was at least temporarily no longer required.  They forced it on, but never told customers that we could turn it off again.  You defend their stupid actions so vehemently that I can only assume you work there.

dcfox1
Master
Master

@AikaneKai  Nope don't work for them.  But they did post a while ago you can turn it off if you missed it. 

AikaneKai
Apprentice
Apprentice

@dcfox1 

 

>Nope don't work for them.

Maybe.  I'm not sure why else you'd be so sycophantic.

 

>But they did post a while ago you can turn it off if you missed it.

 

Yes.  Here, and only here.  They did not push that announcement out through their app, and you know they didn't.  They did not take any other steps to help the people whose systems they broke.

 

They forced it on in spite of knowing the problems it would cause.  Then, when everyone is dealing with the issues, they allow it to be turned off, but don't have the professionalism, or the courtesy or the intelligence to actually let the majority of their user-base know. 

 

If this forum was the best method of communication, they never would have pushed the 2FA announcement through the app.  They would have only needed to post it here.  Clearly they knew that a post here would not reach the majority of their user-base.

 

 

 

StephenB
Guru Guru
Guru

@AikaneKai , @dcfox1 :  I suggest discontinuing this debate - I don't think it will go anywhere useful.  

AikaneKai
Apprentice
Apprentice

@StephenB 

 

Wow, thanks dad.

StephenB
Guru Guru
Guru

@AikaneKai wrote:

@StephenB 

 

Wow, thanks dad.


Never good to see the children keep fighting.  

 

 

 

 

AikaneKai
Apprentice
Apprentice

It's also good to call out the facts of the case in spite of the fact that some people don't want to hear it.

Chris67
Luminary
Luminary

Spot on AikaneKai. Totally amateurish implementation of 2FA. Total lack of communication. Total confusion. A monumental fail. 

StephenB
Guru Guru
Guru

@AikaneKai wrote:

It's also good to call out the facts of the case in spite of the fact that some people don't want to hear it.


FWIW, I agree that Arlo should have done a much better job of communicating their decision to allow 2FA to be turned off again.  It was well communicated here by JamesC (and I think posted once on facebook), but there were no emails, in-app notifications, etc.  And I think everyone would agree that they shouldn't have mandated 2FA in the first place until the browsers could be trusted.

 

But you both made your points in your early posts, and the back and forth wasn't going anywhere useful - just repeating the same stuff over and over.

 

ShayneS
Arlo Moderator
Arlo Moderator

As part of our ongoing initiative to bring peace of mind through implementing the latest in best security practices, we will be resuming mandatory Two-Step Verification requirements for all Arlo users starting July 6th, 2021.

 

Many Arlo users expressed concerns with the original implementation of Two-Step Verification due to its lack of trusted browser support. We have been working very hard to address these concerns and are excited to announce that trusted browser support will be included before resuming these requirements. This will allow users to trust web browsers for 14 days when enabling Two-Step Verification so that authentication is not required for every login when using that web browser.  Most popular browsers such as Edge, Chrome, Safari and Firefox are supported. 

 

For more information on how to set up Two-Step Verification and trusted browser, please visit the following article: What is two-step verification and how do I set it up? 

 

Thank you,

Arlo Team

Webfeet
Guide
Guide

Just tried it. Turned on 2FA.  I signed in and did the 2FA with my phone. It then asked if I wanted to make my browser trusted. I clicked yes. Even thought it gave a "something went wrong" message, it still worked.  I logged out and then logged back in without 2FA being required.  Much better. Thank you Arlo.

joe1821
Apprentice
Apprentice

Arlo.... are you saying that the, "New" 2 step log-in is only able to be disabled for 14 DAYS starting on July 6th 2021??? If that is correct, then we are back to step one again!

If a trusted browser or device will allow bypassing the, "Two Step" login, but after 14 days it will no longer bypass the 2 step process, then we are right back to where we started in the first place and only have a two week period to allow a quick access to our cameras.  YOU must be kidding.  I honestly hope you don't actually mean this.  It will mean we haven't accomplished ANYTHING with our communications to you.

WebDancer
Apprentice
Apprentice
@ShayneS

"bring peace of mind through implementing the latest in best security practices".... this is lame

verifying every 14 days is silly and frustrating

why force implementation of this?

why does Arlo think customers have no brain, or that they need to be protected from themselves?
dcfox1
Master
Master

@joe1821 wrote:

Arlo.... are you saying that the, "New" 2 step log-in is only able to be disabled for 14 DAYS starting on July 6th 2021??? If that is correct, then we are back to step one again!

If a trusted browser or device will allow bypassing the, "Two Step" login, but after 14 days it will no longer bypass the 2 step process, then we are right back to where we started in the first place and only have a two week period to allow a quick access to our cameras.  


After 14 days you just need to enter a code again and it is trusted for another 14 days as with some banks. Better then not trusting at all as it was before doing it every log in.

d0lphin
Apprentice
Apprentice

This is still not going to work. If I log into my account from one device it kicks me off another so have to log back in again if I want to use the original device. You'd think Arlo was trying to protect fort knox. Who wants to watch the racoons wander around my house? Why would anyone want to hack my cameras? Anything my cameras see can be observed from the street so there is no need to hack them. As it is, I still have to wait couple minutes after cameras have tripped before I get a notification. By then, anyone around is long gone. This isn't a security camera, it's a log of past history. Just leave it alone. Two step is a disaster and waste of time.

pjama
Luminary
Luminary

Restarting this thread in "New Idea" because the previous one is locked and I don't really need "support" to help me through it. I just want Arlo to re-implement it properly.

 

@JessicaPThanks for the update on where you're at with 2FA but I think Arlo is still not listening.

 

> Many Arlo users expressed concerns with the original implementation of Two-Step Verification...

That is somewhat of an understatement.

 

> announce that trusted browser support will be included before resuming these requirements.

Yay!!!!!

 

> This will allow users to trust web browsers for 14 days...

Wait... what? Boooo!!!!

 

I've been a long time follower of this thread and I don't recall ANYONE suggesting this as a good idea. It's just wrong and won't fix most user's issues. Why not keep it optional? If you must impose a time limit, why not make it configurable? OR have a manageable list extra devices that have been given trust and be able to remove them using the primary device.

 

While I appreciate there can be a need for high security, it's not a bank and won't always require this level of security. If people want it or need it, the *option* should be there but not enforced.

 

I for one will not be satisfied with Arlo's solution. I don't always have my phone glued to me and my biggest concern is if that one and only trusted device is lost, stolen or broken and if I haven't enable my Home PC, work PC or laptop in the last two weeks, I'm all out of luck. I need to know I have a few devices I can rely on for access.

 

Please Arlo, listen to your users.

silverado44
Virtuoso
Virtuoso

This has to the dumbest thing I ever heard only 14 days then you have to redo it again this is nothing but typical Arlo screw up that some mastermind came up with. Man I cant wait to get rid of this system as Arlo had a very nice system and it has gone downhill ever since like video quality as the pro2 HAD a nice clear video/picture in the beginning and ever since the pro3 and up to the Ultra2 came out Arlo dump the quality on the pro2 thinking people are dumb enough to upgrade to the higher end product. What do you think is going to happen the Ulra2 after it get age on it and they come out with a higher product then the Ultra2? There's will go downhill also.   

pc2k17
Hero
Hero

Every bank I deal with trusts my browser forever unless I clear my cookies, then you have to reauthenticate. My guess here is the 14 days is a technical limitation of their system, that Arlo isn't using a persistent type cookie, but maybe some kind of server side implementation, or combo of the two, which could mean a large database replicated through out all their data centers. In that case it might make sense to purge records of people who may only use the browser every few weeks or once a month. However, it becomes an inconvenience to people who use the browser every day.

 

Just my two cents, I know nothing about how arlo implemented this, I'm just an IT guy taking a guess at the rational behind the 14 day limit.

Chris67
Luminary
Luminary

@ShayneS (Arlo Moderator) “As part of our ongoing initiative to bring peace of mind through implementing the latest in best security practices, we will be resuming mandatory Two-Step Verification requirements for all Arlo users starting July 6th, 2021”.

 

Why is it in Arlo’s company DNA to always be deceptive and misleading? This does not explain why 2FA has to be mandatory rather than optional. If it were optional customers could have “peace of mind” by turning on 2FA but if customers preferred convenience over “peace of mind” and a seamless security experience they could elect not to activate 2FA.

 

Why can’t Arlo be honest with its customers and call it as it is. Use words to the effect “For Arlo to more easily comply with worldwide regulatory requirements and to protect Arlo’s infrastructure and in order to reduce any likelihood of litigation, Arlo will be MANDATING Two-Step Verification”.
Arlo please do not continue to treat your valued customers as brain-dead morons.

 

Thank you for at least giving us 2 weeks of continuous trusted web browser usage.

Chris67
Luminary
Luminary

https://www.arlo.com/en-us/privacy-pledge.html  Protection. We keep your data safely secure. “We support industry-leading methods and practices designed to protect your account, such as giving you the option to enable two-factor authentication and access approval for new devices to verify it’s really you”.

 

Arlo, why do we not now have the option to enable 2FA as stated in your Privacy Pledge?

StephenB
Guru Guru
Guru

@pc2k17 wrote:

Every bank I deal with trusts my browser forever unless I clear my cookies, then you have to reauthenticate.

FWIW, a timeout on 2FA isn't unusual.  My employer uses a one week timeout - more aggressive than what Arlo is doing.

 

Two weeks is far better than every single time, so personally I am ok with it.

 

MDWORK
Guide
Guide
I agree!! Leave it optional!!! The two step still won't work for me. I have to exit a building go through security and get my phone to check email or mobile than go back through security back in the building to do a two step verification process. I need a different way to do this. Like security questions or something like that or leave it optional...I'm not able to do the two step and the cameras are not used for security purposes. Please! Please! Don't make it mandatory!!
TomMac
Guru Guru
Guru

Don't mind the 2 week login.... it's a pretty good time frame.

 

BUT, I still think it should be optional !

 

 

--------------------------------------
Morse is faster than texting!
--------------------------------------
StephenB
Guru Guru
Guru

@TomMac wrote:

Don't mind the 2 week login.... it's a pretty good time frame.

 

BUT, I still think it should be optional !


Yeah, I'd prefer that it be optional too.

joe1821
Apprentice
Apprentice

If this is their so called, "Solution" to the problem of this stupid 2 step verification, then ARLO did NOT accomplish anything at all with solving this frustrating problem.  We are right back at square one every 14 damn days.  I for one am in the market for a new security system and will pass on the information to my friends that ARLO is doing this.  There should simply be a, "DISCLAIMER" in the system to protect Arlo when a users CHOOSES to disable the 2 step feature.  Then everyone would be happy.  It seems that all of us complaining about this 2 step nonsense were going to be happy campers when Arlo said it would add PCs as trusted devices, but here we are back at square one.  ARLO,,, you are losing customers!!!