Arlo|Smart Home Security|Wireless HD Security Cameras

Betreff: Mandatory Two-Step Authentication (Verification) a Bad Idea

Reply
Highlighted
Star
Star

I have opened up a support case with Arlo and requested a solution to my use-case so that I can continue to use the Arlo cameras that I purchased despite the upcoming 2FA roll-out.

 

We monitor an elderly person from within the same home when she's in a different room.  We have caregivers who come and go each and every one of them needs to have access to the camera during their shift.  Obviously this would be impossible with a 2FA scheme that requires the second factor to be common to everyone (we need the exact opposite of a second factor -- quick and easy sharable access to the cameras).  I'd be more happy to make the camera's entirely open with no password at all and rely on my network security.

 

In any event, I would encourage every single person on this thread to flood Arlo support with requests to have them provide a solution to satisfy your use-case if it be affected by this 2FA implementation.  I also pointed them to this thread and asked them to read it in its entirety.

 

Open your support request here: https://www.arlo.com/ContactUs/SupportRequest.aspx

 

 

 

Model: ABC1000 | Arlo Baby
Highlighted
Apprentice
Apprentice

For the time being I have turned off 2 Step Verification in my profile and am not being inconvenienced by having to enter a verification code every time I log into myarlo from my desktop browser. I can't see why Arlo wouldn't keep this option available rather than making 2SV mandatory. What is the risk for Arlo? It is my data and Arlo have offered to provide a higher level of protection but I have declined.

 

A response from Arlo on the future implementation of 2 Step Verification would be welcome as it is worrying countless CUSTOMERS.

Model: VMB4000 | Arlo Pro/Pro2 Base Station
Highlighted
Guide
Guide

Conveniently, the Arlo Support new case confirmation email comes from a Do Not Reply address. And, with no web portal link to follow up on it. This is my first ever Arlo support request.

It's now been 4 days since submitting my request, and still no reply.

Highlighted
Initiate
Initiate

Another problem with 2FA.  When I'm in the app and the text comes in, the 2FA code is not fully visible in the notification (I have a smaller phone).  So, I have to leave the Arlo app to get the full code.  When I come back into the app, it requires me to request a new login, and around we go in circles.  So it appears to be impossible for me to log in w/ 2FA from this device.

Highlighted
Initiate
Initiate

I'm not sure why there isn't an "Affects all users under all products" category since 2-step authentication effects everyone, but I'll start under this category since I still have my original Arlo cameras.

So, I have a Question/Concern about the new, upcoming, mandated 2-step authentication.

I do not allow my Arlo app to run in the background of my Android device because it is a resource pig since it is trying to constantly talk to your servers.  And I assume it sucks up data plan minutes when away from my home network were I to leave it on, minutes better used by other applications (like email).  I enjoy allowing my battery to run for a day or two without need for a charge rather than half a day because of resource hungry applications like yours, and I like not paying for more cellular data than I need.  So, when I need to address something or enable or disable settings within my Arlo system, I log in to the app, make the change, and log out again.  When my cameras are enabled they are set to send me emails when motion is detected so I can respond accordingly, and when they aren't enabled they do nothing; this is the ideal setup and use case for myself, and probably others.

I also use a VPN software on my phone so I am masked and can't be tracked, because I treasure my privacy - the same reason I have security cameras, because I like my privacy (and hate thieves).  The application works fine over my VPN, but my concern is that once I enable 2-factor verification those rules about only needing to register a device once with the 2-step verification will go out the window BECAUSE I am using a VPN, and then EVERY SINGLE TIME I want to log into the app I'll have to go through these additional authentication steps.  Is this true?  Has this been tested?  Because if it IS true, then you need to build in an option to opt out of the 2-step process, have a setting to only present it every 10 or 20 logins or once every X number of days, or verify the specific application via an install serial for every Arlo app installation rather than based on devices credentials.

This additional security works great over a wide-open network, but as I have discovered with a LOT of non-/less-essential and much less time sensitive applications, 2-factor authentication EXTREMELY hinders a quick login.  Time that could mean the difference between scaring off a potential thief or having to file a police report and likely never seeing my property again.

I get the reasoning behind the additional security, but you need to prepare for allowances if they haven't already been addressed.  I know that complicates things a little and costs a few extra dollars, but that's money easily recouped by a larger user base knowing that considerations were made for differing use case scenarios and current and future users recommending your products to family and friends.  Word of mouth is a powerful marketing medium, and given that yours is far from the only option available anymore - unlike when your first started out - I would assume that would be paramount to your business model instead of simply popping out more products without fixing the hindrances that can plague a company.

Thanks for any feedback on this type of user setup and the functionality, or lack thereof, with VPN and 2-factor authentication, and any workarounds should it be the problem I expect it will be.

Highlighted
Initiate
Initiate

 I am not happy with the two step verification and it need to be a choice. I bought a system and have five cameras. If this goes thru i will have to buy another live system that i can get access to my cameras when i get an alert or here a noise outside. 

Highlighted
Tutor
Tutor

I'm dreading the mandatory two step authentication. Normally I don't mind this but it's already very slow to log into the arlo system and get a live feed. If there's something I want to investigate from one of the cameras it's usually long over by the time I get logged in and get the camera to come online. Two step authentication makes it much longer and I'll have to have my phone handy for the code. I really hate this idea.

Highlighted
Luminary
Luminary

Just as I was thtinking the Arlo products were maturing and starting to approach being more reliable, Arlo Engineering has yet again figured out how to annoy and even alienate customers!

 

I too unsuspectingly set up two-step verification on my iPhone. Only later, without having my phone handy, I learned hat every time I ATTEMPT log in from my desktop or a laptop I have to go through the authorization THAT REQUIRES MY iPHONE BE THERE TOO! There are times when the iPhone is not available to me, that's WHY I LOG IN FROM OTHER DEVICES!

 

Arlo's latest misdirected 'improvement' provides no option to make a user's desktop or laptop a "trusted device". So I turned off the two-step verification. If Arlo cannot get this right before making it mandatory, then I will no longer be using their systems. As it is, I have experienced so many annoying problems over the years with Arlo engineering, and worse with 'customer service', that I no longer buy any new Arlo products; instead biding my time and hoping alternatives come out to be more practical.

 

Martin

Highlighted
Apprentice
Apprentice

AMEN!!!

Model: VMB4000 | Arlo Pro/Pro2 Base Station
Highlighted
Initiate
Initiate

Forcing two-step verification on people is a horrible idea.  Sometimes my phone logs itself out once per day.  When this happens, my phone does not know if leave or enter the geo-fence boundary.  I have to open the app and log back in.  Once this happened four days in a row.  Am I really going to need to fiddle with 2fa now every time this happens?

 

Am I supposed to pull my car over each time I leave the geo-fence boundary, just to log back in to Arlo and fiddle with 2fa?

 

From previous experience with Arlo management forcing the geo-fence notifications on people, it is clear they do not listen to what customers want.  I no longer like the Arlo.  It has become a source of stress.  I feel like I am being forced to go to a competitor.  After spending $600 dollars on Arlo equipment too.

 

 

Highlighted
Tutor
Tutor
This is really bad!
I strongly want a fast quick access system instead in a more secure slower accessable system.
Many times I need to log in quick like for.the baby camera, to see that see is not falling out of the bed etc.
I don't want to wait for an SMS
Highlighted
Retired_Member
Not applicable

Problem solved! I replaced my Arlos with Wifi cameras, using Blue Iris on an old PC. Better video quality, and I don't have to rely on cloud computing. 

Highlighted
Guide
Guide

I need email for 2 step verification but am not sure when it is applied. Is email automatic if you not request SMS  and do not give a phone number?

Highlighted
Star
Star

Please note that per a support request and a live chat with an Arlo support person, the Arlo Baby will be exempt from the requirement to have 2-factor authentication.  Here is a snippit of my chat:

 

==================================================================

  • If I use the Arlo App with the Arlo Baby I will NOT require 2FA, is that correct?

Yes, you do not.

Arlo Support

  • And I will NEVER require the 2FA for the Arlo Baby, correct?

5:22 PM

I believe that won't happen.

Arlo Support

5:22 PM

  • That is good news. I will capture this chat. Has your company seen the complaints from users regarding the 2FA implementation? It simply does not work.

5:24 PM

 

Yes the company have seen the complaints. 2FA is to double the security of the user's account. There are many hackers nowadays trying to break in the camera system by just getting the user's info. 2FA can prevent that from happening.

Arlo Support

==================================================================

 

While this may be the answer I'm looking for since I only have the Arlo Baby monitor, I hope that Arlo re-thinks bringing in this draconian authentication policy.

Model: ABC1000 | Arlo Baby
Highlighted
Aspirant
Aspirant

When my subscription for the cameras expires DO NOT RENEW it!! I will simply put all Arlo cameras in the trash. Unless you allow the option to keep ONE step verification. Like Ring has done.
I will be ordering new Ring cameras this week to replace Arlo, one every week.

Highlighted
Guide
Guide

Security implemented like this, by noobs and amateurs, is not security. SMS as a 2FA channel has been shown time and time again to be insecure, not being able to mark a device trusted - either permanently or for, say, 30 days is a anti-useability pattern and it just looks like this is some corporate mandate come down to try to divest and protect management from being accused of allowing data breaches in the future.

 

If Netgear / Arlo thinks 2FA is a good enough idea to make it mandatory then perhaps following industry best-practise and using a TOTP generator with emergency access codes that can be saved away, not using SMS and making a device trusted is better.

 

Then there is the whole question of authorising OAUTH access for API access where 2FA is not possible.

 

Amateurs, lazy amateurs.

Highlighted
Initiate
Initiate

I turned it Off, too.  Every time I use my home computer, to log in and check Library on a large screen, I have to verify (what are cookies for?).   I get charged $.20 for every Text.  Last month it cost me $7.50.  I have read that I can instead get an email, and email is back up, but I do not see that option.  I am only allowed to switch between Enabled or not.  I called Customer Service, but too long of wait times.

Highlighted
Initiate
Initiate

Well, this is obviously an unpopular idea. The user should choose this feature. There is no reason to use two factor on the phone app since its the same device used to get the second factor. It is hard enough to use the app to check your cameras but with two factor it slows down the ability to check, especially when a camera that detect motion where there should not be motion. I left Ring due to bad implementation. I have 5 cameras and I would hate to invest in some other product. I hope Arlo actually reads these messages. BTW, the support and contacting Arlo directly seems impossible which is also a major thumbs down for me. It shows me they are not concerned with customer feedback and is very poor customer service.

Highlighted
Guide
Guide

I am on my second support person and still have no idea how you are supposed to select email instead of SMS.

Highlighted
Prodigy
Prodigy

Less than sixteen/16 days left. 😞

Highlighted
Prodigy
Prodigy

@Oldgeezer56 wrote:

I am on my second support person and still have no idea how you are supposed to select email instead of SMS.


You can't on in the setting but when you get to page to enter sms code you can select "Try another verification method". Select your e-mail and a check mark will show up. It is a pain and you have to do it every time but is a work around if you need an e-mail. Not sure why it is not a  option in setting up 2FA.  I called support and they verified that is how it works. 

I really hope they were wrong or I missed something. 

Highlighted
Apprentice
Apprentice

Instead of opening cases on how to set email, SMS and post card notification we should be opening cases on how to avoid the 2SA mess all together.

 

Highlighted
Initiate
Initiate

I turned it off. very annoying.

While it is a good idea, and mandated by GDPR, the implementation is a joke. Whet I would expect is the following: (1) only require it once on a device or browser until there was no access for a period of time (say, 3 months) and (2) that the browser's autofill fester functions properly. At the moment, Safari autofill can't do its job because "paste" is not supported in the entry field ... who designed that, an intern?

Highlighted
Apprentice
Apprentice

Arlo, you have 2 weeks to fix this 2SV fiasco and allow trusted devices.

Highlighted
Prodigy
Prodigy

12 days left... I think we're going to be stuck with this requirement at this rate. 😞