Arlo|Smart Home Security|Wireless HD Security Cameras

Mandatory Two-Step Authentication (Verification) a Bad Idea

Reply
Chris67
Luminary
Luminary

A reply to a topic you are following has been accepted as a solution!

Topic:

Mandatory Two-Step Authentication (Verification) a Bad Idea

Author:

ChrisKay (Follower)

Date:

2020-03-07 10:51 PM

 

I do not accept this as a solution. IT IS THE WHOLE PROBLEM

If you wish to shut down a topic for discussion please do not use trumped up solutions.

462 REPLIES 462
Nichols55
Star
Star

Arlo you must keep ALL users in mind when creating.  My mother is 88 next month and struggles with just the one step.  Plain and simple.....it is a hassle and we don't want it to be mandated.  My analogy is this: 

 When I go to unlock my front door at home, I don't want to have to run to the back door to get the code for the front door.  I've already locked the front door, so it should be secure.  You follow?  🙂

Resuna
Guide
Guide

Re: https://community.arlo.com/t5/Arlo/Mandatory-Two-Step-Authentication-Verification-a-Bad-Idea/m-p/181...

This has been marked "solved".

 

Simply declaring 2-step authentication is required is not an "answer".

At the very least a time-based authentication, supported by third parties such as Google Authenticator or 1password, or a challenge response dongle such as Yubikey, should absolutely have been implemented before making this mandatory. SMS based 2FA shouldn't even be an option as it encourages theft of services through hijacking phone accounts to bypass it.

Arlo MUST explain why they implemented such a broken scheme instead of following best practices.

WebDancer
Apprentice
Apprentice
Hello Arlo representatives-

Yesterday I was mandated to activate your 2 step verification process. Kindly share with your development team-

1. It would be best to give your customers an option to use this. There are many of us that don't want this, even though YOU think we do and that you are doing us a favor.

2. I use a laptop or desktop computer 9 hrs a day 5 days a week. Yesterday I had to enter a 6 digit verification code EVERY 20 MINUTES when your software timed out.

There is no option to mark my computers as trusted devices.
Kindly quickly and efficiently fix this or I will take my business elsewhere.

I have very little patience with this when I have to enter a code EVERY 20 MINUTES to view camera feeds on your website.

3. Stop contracting your customer service calls out to an overseas call center who provide little to no help, and English is not their primary language. I am beyond talking with people who read scripted answers off a screen.
WebDancer
Apprentice
Apprentice
Hello Arlo representatives-

Yesterday I was mandated to activate your 2 step verification process. Kindly share with your development team-

1. It would be best to give your customers an option to use this. There are many of us that don't want this, even though YOU think we do and that you are doing us a favor.

2. I use a laptop or desktop computer 9 hrs a day 5 days a week. Yesterday I had to enter a 6 digit verification code EVERY 20 MINUTES when your software timed out.

There is no option to mark my computers as trusted devices.
Kindly quickly and efficiently fix this or I will take my business elsewhere.

I have very little patience with this when I have to enter a code EVERY 20 MINUTES to view camera feeds on your website.

3. Stop contracting your customer service calls out to an overseas call center who provide little to no help, and English is not their primary language. I am beyond talking with people who read scripted answers off a screen.
SMaster
Tutor
Tutor

GET RID OF THE MANDATORY TWO STEP VERIFICATION! DON'T NEED IT, DON'T WANT IT!!!

 

 

TomMac
Guru Guru
Guru

PCs need to be trusted devices...  many other companies do this, Why not Arlo too.

--------------------------------------
Morse is faster than texting!
--------------------------------------
timbs
Initiate
Initiate

I regret purchasing this system and am considering replacing it with something else.  In the interim can I find out how to eliminate the two step verification hassle of having to be where I can get to my email to retrieve the pass code.   (After jumping through these hoops it is too late for me to do anything about what is happening anyway.  Result is this is a useless product.)  I'm only interested in the security of my home and property, not this system.  This system should be ready to go 24/7 with out having two layers of "open sesame" in the way.

EWiseman
Initiate
Initiate

Totally agree.  Requiring two step authentication is a disaster!  With the requirement to log in after a brief period of activity this two step authentication is required many times a day.

When I get an Arlo alert from my phone I want to check for that activity.  When sitting at my computer I like to do so from my PC where the images are larger and viewing is better.  Logging in to view the library and see the recorded motion already took some time.  The increased delay of having to look up an email and enter the code further lengthens the time before I can see the nature of the alert.  Robbers now have time to enter my home and watch me trying to bring Arlo up before I am aware of them!

I have quit checking Arlo.  This seems like a betrayal of the functions promised by the system at the time of purchase.  They should offer to buy back the equipment.

Or better yet just make two-step authentication optional.

dcfox1
Master
Master

@WebDancer  Why not use push notification instead of SMS as there is no code to enter, just press approve on the phone. 

AlienBeans
Initiate
Initiate

I hate this 2 factor authentication too.  It's completely pointless IMO.   I hate the fact that we can't just view a live feed as long as we want without the site timing out too.  It's completely ridiculous that the website when viewed IN MY OWN HOUSE times out and drops connection. 

joe1821
Apprentice
Apprentice

My friend, they are not doing this as a FAVOR to their customers.  It doesn't work that way.  They are doing this to help protect THEIR asses.  If the likelihood of someone gaining access to your cameras is reduced by any means they use, THEIR asses are better protected against a lawsuit, and THAT is the ONLY reason they are implementing this policy.  They are also going to lose a LOT of customers because people don't want to have to enter more than a password to access their OWN security system.  If you as a customer want to improve your security all you have to do is CHANGE your password.  So Arlo will do ALL they can to reduce their liability and they DON'T care if it inconveniences their customers.  What they are not realizing is that their customer base is going to suffer from this ABSURD policy.

Willyscj3b
Initiate
Initiate

I have two Arlo accounts its makes me 2 step on each on when I go back and forth.

 

This is a fix for something that wasn't broken.

WebDancer
Apprentice
Apprentice
@dcfox1

Great question! I initially and quickly set it up for SMS text, a few hours later went back to change it to push messages but there was no option for that.

Although push is a little more efficient, I and apparently many other customers, don't want this nuisance.

The best thing for the software team to do is roll this back until it can be made optional. Let the customer decide, don't force this on me.
WebDancer
Apprentice
Apprentice
@AlienBeans

Totally agree it is ridiculous. It is incredibly annoying that I must log in with a 6 digit pass code every 20 minutes in my own home on my computer at the same IP address.

The software development team didn't think this through.
WebDancer
Apprentice
Apprentice
@TomMac

Other companies, with happier customers, made this an option not a mandate.

Not sure I understand why I must accept this software change. Was pretty happy when I found the "turn it off option" in the fall. Thought they would leave it at that, but sadly they didn't.

My system is 3.5 yrs old. Hardly any problems along the way. It's worked very well. Was thinking about updating to one of their new systems soon, not now. If this isn't rolled back very soon, will be researching other options sooner, as opposed to later.
dcfox1
Master
Master

@WebDancer wrote:
@dcfox1

Great question! I initially and quickly set it up for SMS text, a few hours later went back to change it to push messages but there was no option for that.


Did you try it on your phone, not the Web page under the edit part? I have the option to add or change to SMS since I already have Push set up. 

WebDancer
Apprentice
Apprentice
@dcfox1

yes I did, just email under add another option on my android.

And you can't make any changes on the website, has to be through their app on a phone or tablet..... which is also annoying.

Willyscj3b
Initiate
Initiate

This  mandatory verification is a real hassle for anyone who uses a PC as a primary means of checking their cameras.

 

I have two four camera systems and have to enter a new verification code from my phone each time I login or switch systems.

 

There was no problem with security. There was no reason to do this.

 

I plan to go on every website where Arlo is sold and post a negative review about this new feature. 

 

I encourage all other users who are peeved at this unnecessary burden to do the same.

 

I have two very expensive systems that are now a pain to use. 

 

I wonder how long Arlo will allow this post to stay up?

WebDancer
Apprentice
Apprentice

@joe1821

Not sure what they are protecting their a about on my feeds. You would get bored watching the squirrels, possum, fox, and coons. In another month, humming birds will be in the mix.

The best thing Arlo can do for their customers is roll this mandate back to allow the option. The negative feedback on the Community Forum is significant, and in multiple conversations with a supervisor at the call center, the calls from upset customers are many and escalating.

Since Arlo has been quiet and not stepped up to address this, customers are taking to Amazon and Bestbuy and sharing their displeasure and low ratings. Customer feedback in bulk in short period of time like this can kill sales and put a significant dent a company.

I hope they soon see the light.

WebDancer
Apprentice
Apprentice
Dear Arlo Moderators,

What is the status of this forced 2 step verification process?

Are you going to keep it, or give your customers an option and choice to participate?

I, and many others, would appreciate some feedback.

Warm regards, WebDancer
joe1821
Apprentice
Apprentice

It's not the squirrels or anything else that is shown in your videos that matters at all; it's the breach in the system that allowed an outsider to sneak (crack) through.  That breach is a liability to Arlo and THAT is their number one concern because it affects their bottom line if they are sued as a result of someone gaining access to your system.  As you said however, the biggest thing they SHOULD be concerned with is the loss of many customers, as I too am already shopping for a different system that will allow the OPTION of how the user logs on.  I am NOT going to continue day after day to spend all my time trying to access my own account, having an email sent to me with a code that might have to be physically written down because it's just long enough to be challenging to be remembered, and then having my 2 minutes run out before I can log into my own system.  My bank does that but only on a very rare occasion if I haven't logged in for a long time.  The idea of a security system however is that you can quickly check up on your property and not have to, "jump through hoops" just to get to your cameras.

Chris67
Luminary
Luminary

But if Arlo have made 2FA Mandatory by default (as they have now done) and give a customer the option (at their own risk) to turn it off, there is hardly likely to be a successful litigation.

joe1821
Apprentice
Apprentice

You are 100% right my friend; they could just put a disclaimer in the program that your system will be at a higher risk of intrusion and that you are accepting that risk by, "Opting OUT" with the click of the mouse!

WebDancer
Apprentice
Apprentice
@Chris67

I would happy to accept my own risk when I opt out!

If I'm not given the choice soon, Arlo will have made a choice for me.
joe1821
Apprentice
Apprentice

Chris, why don't you do us ALL a favor and contact them and tell them to review our suggestion?  The suggestion would cover them legally and I am positive that the liability is the ONLY real reason they have made it mandatory.  If they include the 2 step as an option that the user can activate at any given time, it would be obvious to Arlo that there is no reason to have it MANDATORY and they would also satisfy their current customers.  It would also encourage any future customers when they hear that Arlo accommodated us with this compromise.