Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.

Mandatory Two-Step Authentication (Verification) a Bad Idea

Reply
Chris67
Luminary
Luminary

A reply to a topic you are following has been accepted as a solution!

Topic:

Mandatory Two-Step Authentication (Verification) a Bad Idea

Author:

ChrisKay (Follower)

Date:

2020-03-07 10:51 PM

 

I do not accept this as a solution. IT IS THE WHOLE PROBLEM

If you wish to shut down a topic for discussion please do not use trumped up solutions.

462 REPLIES 462
arseasttle
Apprentice
Apprentice

   

I guess there's some logic there, thank you. (Wouldn't it be nice if the Arlo reps actually engaged in conversation with us?) My cameras are all outside, and got no kids around, so Im not concerned about someone hacking into the account to talk through the camera. Still think it should be my choice and that Arlo is going to lose a lot of customers. Changing the terms after people have spent a lot of money doesn't sit well.

 

They could also require a password change every few months or something like that. 

For me, it comes down to one simple thing: if I can't get on instantly when I get an alert, it's no longer a "security" camera. It's now a "hey, look what happened at your house while you were waiting for a code or trying to enter it correctly without cut/paste and/or your glasses."

Chris67
Luminary
Luminary

Through ignorance and a lack of engagement and explanation from Arlo, I had reached the conclusion that 2FA was a level of security that was not necessary in my situation. As implemented, it prevented instant access to my cameras which is of paramount importance to me for security purposes and I was looking for the option to permanently turn it off.


Since then, after doing some research and reading the recent posts on this topic, I have come to understand the possible security issues that arise if hackers gain access to IT cameras. Besides being able to control your cameras and snoop on you and your family in your intimate moments, they could stream your videos, they could harass you and your kids by using the camera’s audio and they could demand ransom. They could spoof a friend at the front door instead of a “bad guy”. Paedophiles could have a field day. With the Internet of Things (IoT) and connected devices becoming more and more popular, once an IT camera is compromised, hackers could make lateral moves onto your connected devices and in theory turn off the alarm system, unlock the front door, raise the temperature of the fridge, turn on/off the lights, blast loud music around the house etc.
Whilst most hacks of IT cameras have in the past involved harvesting and then using vulnerable passwords, there is no guarantee that in future, more sophisticated methods and determination on the part of hackers could see more secure passwords and/or pins breached.


I now applaud Arlo’s recent decision on 2FA. That is to make it mandatory once they can successfully implement a process whereby multiple devices including PC's, Laptops, Tablets and other Cell Phones can be nominated as "trusted devices" without further need for authentication (or only infrequent need). That way, I can enjoy the added security of 2FA and have instant access to my cameras. Until such a time as Arlo allows “trusted devices”, I appreciate the ability to turn off 2FA.


One last thing. If Arlo’s culture had allowed it to take customers along with it in its decision-making processes a lot of the concern and angst could have been avoided.

joe1821
Apprentice
Apprentice

@Chris67:

I understand your concerns as you mentioned them and YES there most certainly are vulnerabilities in this internet world that MAY be very risky.  However as long as Arlo provides, "Trusted Devices" as part of their plan, and/or the ability for the user to decide on their own, IF THEY CHOOSE TO ACCEPT THE RISK, then Arlo will be fine for my system and many others.  The main thing is to allow the USER to have a choice available and not be forced to follow a protocol\that they believe will not be necessary in their own situation.

trickytcamgeek
Luminary
Luminary

Based on the community feedback, it looks like Arlo won't meet my needs:

 

No option to bypass recording videos in the Arlo Cloud server!   If I am walking around my home naked, I don't want Arlo employees or hackers spying on me.   Your cloud server connectivity seems very sketchy.   I would prefer to have control of recordings in my home.

 

Zero notice is taken by management even when hundreds of people are complaining about problems in these forums. 

 

Examples:  An app update a year or two ago didn't work properly.  Obligatory two-factor authentication.  Charging users a monthly fee if they buy more than 5 cameras.

 

Sorry guys, but I am now crossing Arlo off my list.!

Chris67
Luminary
Luminary

I suspect Arlo are concerned with reputational damage if one of their cameras without 2FA turned on got hacked and the hacker then caused harm. The Media would have a field day e.g., “Arlo Camera hacked and young girl sexually harassed”. Even though Arlo had offered 2FA and the breach in security was solely due to the customer electing to turn it off, it would make little difference to the extent of reputational damage inflicted upon Arlo. This was indeed the case when Ring cameras were hacked. At the time it was widely considered that Ring should have done more to safeguard their cameras from hackers. Alas, therein lies the problem for Arlo in making 2FA a choice. I now hang my hopes on an effective implementation of “trusted devices/browsers”

StephenB
Guru Guru
Guru

@Chris67 wrote:

Even though Arlo had offered 2FA and the breach in security was solely due to the customer electing to turn it off, it would make little difference to the extent of reputational damage inflicted upon Arlo


I agree that has to be a factor in their thinking. 

 

Also, many people who'd execute a release wouldn't really understand the risk they were signing up for.  Most of us simply click-through such agreements when they are getting in our way. 

 

While I'd prefer it to be optional (my own cameras aren't in the living area of my home), I do understand why they are choosing not to go down that path.   If PCs can be trusted, then the inconvenience of 2FA will be minimized. 

CurbAppeal
Star
Star

All of this is great discussion re: 2FA but this disaster and chaos they have created has just pushed me over the edge.  I have ZERO confidence it this company or system.  I needed to see what was going on this morning and now all cameras show offline but are still recording with motion.  I have NO WAY to see what is going on live.  I'm sure I will get a 'reboot' reply or some nonsense.  This system is not reliable in anyway and should not be used for a security system.

d0lphin
Apprentice
Apprentice

We have suffered from this as well for quite some time. The system just continues to become more worthless as the days go by. At least now I know it isn't just my system so thanks for your post. Arlo needs to fix the bugs in the system before trying to field test it for mandatory shuffle step, and even then, mandatory needs to be an option.

hennesbe
Star
Star

I have 3 outdoor cameras set up and rarely have any of the issues described by others here in the last year.  Just thinking perhaps some of the issues described are the fault of their Wifi and not the camera system.  My cable/internet was horrible for an extended period of time but after 6 months of working on upgrades everything if fine again.  I do continue to use the two-step and.  I have other applications that require two-step, one of being my bank and they only allow one devise as trusted.

Dizeman
Tutor
Tutor

I think ARLO Jumped the Shark with this 2 step verification. Every time I attempt to view my cameras on my PC, I have to chase down my IPHONE to authenticate and if I have my phone charging and cannot get to it in time, I have to run back and forth through the house a couple of times just to check my cameras. I have recommended Arlo for three years, spent over $1000 on Arlo cameras and hubs, but THEY HAVE CONVINCED ME TO SEEK OUT OTHER SOURCES. 

Dizeman
Tutor
Tutor

Looks like Arlo is adopting Facebook and Twitter's policy of avoiding any direct contact with their customers. This TWO STEP AUTHENTICATION is the worst idea Arlo has come up with and I think they are going to regret it. I am looking for other sources and will likely take all of my Arlo cameras down. UNNECESSARY PAIN IN THE BUTT!

aa1113
Apprentice
Apprentice

I was able to disable the two step authentication in the settings.  

Dizeman
Tutor
Tutor

I have found no such option. 

Dizeman
Tutor
Tutor

I just found the option to DISABLE... on my browser app. Thanks!

 

aa1113
Apprentice
Apprentice
I used my PC. It’s under your profile
arseasttle
Apprentice
Apprentice

You've made some great points, as have so many other users in these forums. So many of these issues, however, lead to the "optional" argument.  If I had little kids in the house and though that someone could hack into my Arlo system to talk to them, MAYBE I'd consider the two-step system.  However, as someone who only has outdoors cameras, and no kids running around, making the system OPTIONAL makes the most sense. Everyone has a different situation and should have the choice. Making something mandatory, after I've made a pretty substantial investment in a system that, basically, was sold on something different, is not just bad business; it severely affects the usefulness and value of my investment.

 

asr

 

PS - I still think a private pin would work.

Chris67
Luminary
Luminary

I have 2FA turned off and am using latest Chrome browser and using Windows 10 Pro 64 Bit 20H2 latest build on PC. I am using Android v 10 on my Galaxy Note 9 with latest Arlo app.

 

The problems that I am having are new and I suspect are related to Arlo “experimenting” with their policy to allow “Trusted Devices”. Is anyone else having the same experience?


When I log into my Arlo account from PC my live feed is disabled with the message “Your Arlo device appears offline”

Arlo 1 PC after login.JPG

This appears to be because I am already logged in on my phone. If I totally log out of Arlo on my phone then log back in on my PC, I can now view live feeds on my PC again.


If I then log into Arlo with my phone, I am logged out of Arlo on my PC.

Arlo 2 login PC.JPG

If I then log into Arlo on my PC, I am logged out of Arlo on my phone.

Arlo 3 Screenshot_20210502-203532_Arlo.jpg

As you can see from the above pic, it appears that I am not fully logged out of Arlo on my phone as there are options to “LOG BACK IN” or “LOG OUT”. Unless I use the “LOG OUT” option on the phone, the next time I log in from my PC, I get the dreaded “Your Arlo device appears offline” and I cannot view Live Feeds.

Arlo 4 log in again on PC.JPG

If, however, I use the “LOG OUT” option on the phone and then log in on my PC, I can use my browser to view Live Feeds. It appears that only one device at a time can be logged in to allow access to Live Feeds. I hope that this will not become a permanent feature of their “Trusted Devices” policy as this will cause enormous inconvenience for customers that use both phone app and PC browser interchangeably and for others who have been granted access. I can understand that there could not be simultaneous USE of Live Feeds from different devices but there should be ACCESS if Live Feed is not in use.


Unrelated I guess, but worth mentioning, motion detection recordings are unaffected by these events and show up in my library as usual.


I apologise for the tangled way that I have explained this problem, but I found it very difficult to fathom out what was going on and even more difficult to describe it.


I would be interested to know if others who have 2FA turned off and are using the phone app and PC browser interchangeably are experiencing the same issues.

Tbaby
Tutor
Tutor

I use a smartphone (Android version 10) that his fingerprint button. I was able to set up 2-step verification successfully on the phone app. I found it a pretty safe method.

Chris67
Luminary
Luminary

To Tbaby

Do you also use a web browser on your PC or another device because that's when the problems arise?   I agree that 2FA works well if you only use your smartphone (the one that you initially set up for 2FA) because as the primary device (with your mobile number) it is automatically recognised as a "trusted device" and there is no need for further verification. 

Tbaby
Tutor
Tutor

To Chris67.

Yes I do use a browser.  In the app settings go into profile>login settings, there you should find what options you have.  I chose fingerprint. I also noticed that there is in option for a pin ( profile > assistant pin) not sure if this will help ( haven't checked it out ). Maybe that will help.  I use fingerprint for  banking app. Fingerprinting makes it easier to use on any pc/laptop, tablet, etc. without using login info on new devices.  When a receive push notification for either app all I do is press 'approve' or 'deny'. I just have to make sure my screen isn't locked so I can respond within ample time.

 

Chris67
Luminary
Luminary

To Tbaby

When you log in with your browser on PC,  you say you receive the "approve" notification on your smartphone and have to touch the button before you can use your browser. Having to have your smartphone on hand to be able to  view live feeds in your browser on PC is what's concerning most people and also the delay the process causes.

Tbaby
Tutor
Tutor

Chris67,

Yes. you will see the loading circle when it is approved, and you will be successfully logged. I recommend using the phone# on your account as your primary source of login, that way you can view all cameras online.

 

Chris67
Luminary
Luminary

To Tbaby

Thanks for your responses but not wishing to be rude, you are telling me what I already know. I prefer to use my browser on PC to view live feeds (bigger and clearer view) and I don't always have my smartphone to hand. 

Tbaby
Tutor
Tutor

Chris67,

Not being rude, but In these days in time keeping your cell on you is important, especially if you need to keep track of your security on the go. I'm not trying to tell you what to do, it's your choice. But if someone logs into your account, how are you going to know, if you are not carrying your phone? You can 'DENY' access right then instead of waiting til you get to your phone.

Chris67
Luminary
Luminary

To Tbaby

"Trusted Devices/browsers" If you follow this thread you will see that Arlo are pursuing this solution after all the complaints regarding 2FA implementation.