Arlo|Smart Home Security|Wireless HD Security Cameras

Mandatory Two-Step Authentication (Verification) a Bad Idea

Reply
Chris67
Luminary
Luminary

A reply to a topic you are following has been accepted as a solution!

Topic:

Mandatory Two-Step Authentication (Verification) a Bad Idea

Author:

ChrisKay (Follower)

Date:

2020-03-07 10:51 PM

 

I do not accept this as a solution. IT IS THE WHOLE PROBLEM

If you wish to shut down a topic for discussion please do not use trumped up solutions.

462 REPLIES 462
dcfox1
Master
Master

This all changed Friday if you read the post by the mod or click solution. 

CurbAppeal
Star
Star

The entire arlo community knows this already.....!  

dcfox1
Master
Master

@CurbAppeal Not all as some are still complaining about the code. That was what I was replying to. 

rose33090
Star
Star

It also appears they are doing everything in their power to not even allow owners the ability to view alerts/camera from ANY device. Even yesterday, I was finally able to view incognito mode after weeks of losing the ability to view my camera from my phone or my brand new laptop!!! Today, not even able to use that. I'm guessing they must want everyone to buy new equipment but I will tell everyone I know that arlo is a hit or miss, at best, and at worst, you spend hundreds to have a failure of a system.

EOSJOE
Apprentice
Apprentice

Soooooo... here I think I'm getting used to the 2FA thing. My iPhone and two iPads are able to access Arlo cameras without any issues or prompts. Then last night something triggers our driveway camera, I grab the iPad to see what it is and what do you know the darn thing suddenly wants to authenticate. Of course my iPhone is up stairs.

 

So I sat there not knowing what was going on outside... just like before I spent all this money on the Arlo system.

 

Does anyone know WHY after two weeks of accessing the cameras without issue it suddenly decides it needs authenticated?

 

Emc27
Initiate
Initiate

I set up the April 2021 two step verification and now all day I have to ask for a 6 digit code to enter into the screen on my laptop to open the Arlo application to wait for the app to open the camera view.  I timed it having my phone right in front of me and it takes a full minute.  A MINUTE!! What good is security camera that takes that long to open.  
Forgot my phone in the other room and had to RUN and get the code.  This is NOT security, I might as well answer the door.
Searching for a wired system and will never recommend Arlo, ever.

hennesbe
Star
Star

I get the code back on a txt within 5 seconds on both my Mac Air and I'm not on the 5G network and iPhone.

dcfox1
Master
Master

You have to disable it on the web page on your PC, not the phone. 

BHägg
Tutor
Tutor

Any tips?  I have a minute plus response & by the time I've switched applications, found the email & entered it I have single digit seconds left.  If something was happening outside, I'd never see it live ... I don't need that stress.

dcfox1
Master
Master

Yes you can turn 2FA off as it it an option again on the web page on a PC unless you want it. 

Coresong
Tutor
Tutor

Yes, I eventually figured it out.. and it seemed they later added a kludge fix to the phone app as well. Still frustrating. More so due to the corporate arrogance displayed shoving this down our throats in the first place.

 

I know I will look to other options when I upgrade my current 4 cameras. I do not trust Arlo now, if they are willing to mandate "features" like this past event has shown, they are not worthy of more of my hard earned money. I will make certain not to recommend them to friends and relatives and make sure the sentiment is well expressed on various social media outlets. They have failed big time.

Coresong
Tutor
Tutor

... and don't forget, they are willing to mandate you accept new "features", like a horrifically poorly implemented two-step verification, without any option to refuse it.  (.. at least until the public outcry rose to a crescendo and people started talking about complaints to state AG's and possible class actions..) 

 

They have now done this once, no telling what else they may do in the future.  Time to look to other options....

rose33090
Star
Star

Yep, when the 2-step went into full force, I could no longer login either on phone or laptop. Somehow the delay putting in the code created havoc.

Chris67
Luminary
Luminary

Thank you Arlo for allowing me to turn off 2FA. I can report with a sense of relief that I have not been hacked yet. If Arlo are able to comprehensively and flawlessly allow multiple devices including PC's, Laptops, Tablets and other Cell Phones to be nominated as "trusted devices" without further need for authentication that would be acceptable to me. However, I acknowledge that it might not be acceptable to others. Making 2FA optional (with a disclaimer) for those that do not want that level of security would seem to be by far the quickest, easiest, cheapest and most acceptable solution and I am surprised that Arlo is not going that route. Why not?

 

If someone hacked into my system could that potentially compromise Arlo's servers and systems? I don't understand the true nature of the risk to Arlo of customers opting out of 2FA at their own risk. I'm trying to get a handle on why Arlo is dead set against allowing 2FA as an option. Is there even a remote chance that litigation could succeed if customers have been made aware of the risk, have been offered a means to significantly reduce that risk and have elected in the clear light of day that they will accept the risk and not take up the offer to reduce it? Any thoughts from the techies and legal eagles?

 

arseasttle
Apprentice
Apprentice

Exactly . . . and you bring up one of the biggest issues . . . why does no one from Arlo EVER actually come on and explain the policy? This has happened in the past as well. By not explaining the thinking behind the new policy, it leaves us all trying to figure it out in the void . . . with no real information, we're filling in the blanks by ourselves and, perhaps, we're missing something. The opt-out is the simpliest solution to the biggest complaint. (And YES I know there's an opt-out option at the moment . . . that's supposedly temporary.)

 

I'll add one other thing to you your elegant post: if you insist on a 2FA policy, WHY can't we just set a personal pin so that we can instantly sign in from anywhere? Wouldn't that relieve the timing/mail server/different device issues?

joe1821
Apprentice
Apprentice

@ arseasttle  Your quote:

"Exactly . . . and you bring up one of the biggest issues . . . why does no one from Arlo EVER actually come on and explain the policy? This has happened in the past as well. By not explaining the thinking behind the new policy, it leaves us all trying to figure it out in the void . . . with no real information, we're filling in the blanks by ourselves and, perhaps, we're missing something. The opt-out is the simpliest solution to the biggest complaint. (And YES I know there's an opt-out option at the moment . . . that's supposedly temporary.)

 

I'll add one other thing to you your elegant post: if you insist on a 2FA policy, WHY can't we just set a personal pin so that we can instantly sign in from anywhere? Wouldn't that relieve the timing/mail server/different device issues?"

I DITTO everything you posted here.  All we can do is wait now since they do not explain themselves to US THEIR CUSTOMERS.  Leaving us to guess at their reasoning is a poor policy and in this day and age of transparency Arlo should acknowledge that a happy customer is only going to stay happy if they know what they need to know about the system they are using.

anybodybutme
Aspirant
Aspirant

You just took a decent system and junked it up.  I'm posting bad reviews on every platform I can find.  Had these for 3 years and it worked just fine but between this 2 step verification and push notifications you've ruined this brand.  Will not recommend to anyone and am starting to research replacement brand.

Just leave well enough alone, don't listen to people that are just trying to justify their existence.

AikaneKai
Apprentice
Apprentice

People have been telling Arlo for 2 years that their planned 2FA implementation is bad, but they refused to listen.  I am glad that they've finally realized they don't know what they're doing.  I hope they never make it mandatory again.  It basically broke my system.  If it comes back as required, I will dump the product for good.

ShayneS
Arlo Moderator
Arlo Moderator

At Arlo, we are committed to providing peace of mind and privacy with our security solutions. Two-Step Verification has become a best practice and security standard across many industries to protect consumer data. This philosophy dictates that we ensure our users are afforded the highest level of security when accessing data on their Arlo accounts. Our decision to implement mandatory Two-Step Verification aligns with this philosophy by adding an additional layer of security to protect your data. We sincerely hope you understand our main intention is to protect your data.

 

For more information on how to enable Two-Step Verification, please visit the following article: What is two-step verification and how do I set it up?

arseasttle
Apprentice
Apprentice

Shayne S,

 

First, thank you for replying, though you don't really address any of the questions posed. So, in hopes that we might get a reply, as opposed to just a reiteration:

 

1. HOW does 2-step verification protect my data and why can't I CHOOSE to turn it off? If I'm willing to take the responsibility, how or why does that affect Arlo?

2. WHY can't all methods of alerts be active at the same time?

3. WHY would setting our own pin be any worse than receiving a code? Taking the whole send/receive/enter steps out of the equation would greatly decrease the response time, right? If you insist on security every time I get an alert, having my own pin means I'm not waiting for Arlo. Why is this not a reasonable option if you insist on verification?

 

That's really it . . . you've obviously seen the comments. Arlo must know that customers are rewriting reviews on Amazon and other sites, warning people away from your products. Why alienate your customer base when making this new system opt-out would satisfy all who want the extra security and those of us who are willing to leave things as they are?

 

Please. Don't you think we have a right to get some actual answers at this point?

 

 

 

StephenB
Guru Guru
Guru

Let me say up front that I'd much rather make 2FA an option.  I haven't enabled it on my own account yet - I was hoping Arlo would end up deferring making it mandatory until they allowed browsers to be trusted.  I'm happy they did that.

 


@arseasttle wrote:

1. HOW does 2-step verification protect my data

3. WHY would setting our own pin be any worse than receiving a code?


These parts should be self-evident.  2FA ensures that you explicitly authorize every login for your account - either because you authorized the specific login, or because you explicitly authorized the device that is accessing the account.

 

Security in general depends on a combination of something you know (e.g., a password or pin), something you have (e.g., your phone or ATM card), and something you are (biometrics like fingerprint or face recognition). 

 

2FA combines something you know (the account password) with something you have (a trusted device).  That definitely helps prevent others from accessing your data (and deleting your videos).  But as we all know, it also makes the system harder to use.

 

Setting a pin doesn't combine those two things.  It amounts to adding a second (generally weak) password on top of the existing account password. Combining a pin and a password is equivalent to making the password a bit longer - really no point to it.

arseasttle
Apprentice
Apprentice

Thanks for the reply . . . some interesting information.  I guess I get stuck on one thing . . . exactly WHAT are they securing? I don't have a monetary account with Arlo, so it's not like there's credit card information on there. So, it seems to me they're protecting my videos? Is that it? Or are people cracking passwords and getting into the Arlo network for some reason?  (Requiring stronger passwords takes care of that, right?)  I'm not being facetious . . I honestly don't understand WHAT suddenly is at risk. And, like even you admit, how does allowing us to opt-out, with some sort of legal disclaimer if possible, put Arlo at risk.

 

About the pin thing . . I guess I understand but isn't the point, basically, to make sure it's ME that's accessing the system? What difference does it make if I'm doing it through my phone, my computer, a computer that I'm using when I'm away? What I need most is FAST access and that isn't always possible with the "receiving a code" setup. As has been posted about before, there isn't alway reliable cell or wifi service when someones' traveling. Email servers can take their time and, especially in cities, I've had messaging go out completely . . . requiring me to get a code when signing in, if I happen to be somewhere else, simply takes too long and defeats my security. (And yes, I've spoke to delivery people through the camera.)

 

Lastly, and again I'm being serious . . . what am I supposed to be SO worried about, security wise, that I need to participate in a system that makes it take longer to see what's going on on my security network?

pc2k17
Hero
Hero

Arlo is securing their own arse. If a persons Arlo account gets hacked and the videos end up on the internet, person may try to sue. This is to CYA and put the reason for the hack on the end user for having a weak password.

 

Arlo is also doing this because..... Using the latest in online account security makes for good marketing.

StephenB
Guru Guru
Guru

@arseasttle wrote:

 I guess I get stuck on one thing . . . exactly WHAT are they securing?

A bunch of Ring accounts were hacked back in 2019 and that led to quite a few nasty outcomes.  Three snippets from a news article:

  • A hacker allegedly got into a Ring camera and told an eight-year-old girl he was Santa Claus and asked if she wanted to be his ‘best friend’.
  • A plaintiff was watching TV with his teenage son when a voice through the camera allegedly asked them what they were watching.
  • an older woman at an assisted living facility was allegedly told “tonight you die” and sexually harassed through the camera.

Ring itself apparently wasn't responsible for the security breach.  Per the press reports, it was a result of "credential stuffing".  Many people use the same login and password for multiple sites (even though it is bad practice).  So when login and passwords are leaked from one site, hackers will attempt to apply those credentials to various other sites.  Some of those attempts will succeed.

 

2FA is an effective defense against credential stuffing - and Ring ended up making 2FA mandatory over a year ago.

 

While I still would prefer 2FA to be optional, I can see why Arlo would disagree (even with a release form). 2FA that includes PCs as trusted devices is a reasonable middle ground.

dcfox1
Master
Master

I still had a ring camera and for reasons @StephenB  stated (it was all over the news) they had it mandatory a year ago without an opt out option even at the beginning. It was at least at the time no PC as a trusted device. But at least Arlo now has it optional until a PC can be trusted.