Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.

Reply
ChrisKay
Follower
Follower

Making this mandatory is an exceedingly bad idea since it will slow down authentication and when it breaks—and it occasionally will—it will prevent access completely.  At least give the end-user the option of deciding how much protection to require for the account.

609 REPLIES 609
ant
Mentor
Mentor

@SCKG wrote:

Does it say what year?  LOL!


2020. Arlo should just make it optional.

Chris67
Luminary
Luminary

Arlo requires all users to activate two-step verification by Sept 30th 2020 to continue to access your recordings, devices and account ……..make that Oct 31st 2020…….make that Nov 30th 2020…………We really don’t know what’s going on so don’t hang around.

The utter incompetence of the Arlo “team” in implementing 2FA is beyond belief for a US$365 million Market Cap publicly listed company. This goes right through the Company: -

  1. The Board in not exercising due diligence in protecting shareholders from the screw-up and the actual and potential loss of long-term value,
  2. ARLO TECHNOLOGIES, INC. CYBERSECURITY AND PRIVACY COMMITTEE for not setting practicable goals and timeframes,
  3. The Project Planning Department for failing to carry out basic research into successful implementation of 2FA and failing to set out a workable plan,
  4. The Customer Support Department for failing to adequately communicate the 2FA strategy to customers and failing to respond to customer concerns.
  5. The CEO who is overall responsible for the successful implementation of 2FA.

Unless there are fundamental changes in Arlo both in personnel and culture, I cannot see a bright future for this company so there is no point in me hanging around.

Chris67
Luminary
Luminary

I forgot to add to the list: - 

  • 6. The engineering Department for doing what they do best - making a complete disaster of out of every update.
Gene2916
Star
Star

I have been switching to Ring and everything is great for me! My opinion is that is Ring is everything Arlo use to be and more!

CCNE37
Apprentice
Apprentice

I am interested in the Ring option.

 

One thing that interests me in particular is the scheduling ability. I use a lot of "Modes" for each camera and use the schedule to turn the 5 cameras on and off depending on time of day etc - for example, if we are home during the day only the front door is active, home in the evening only the outdoor cameras, and then through the night all are active. This is something that Arlo can do quite well, so I am interested in how well others (like Ring or Eufy) manage this.

Ozphoenix
Apprentice
Apprentice

This has to be a bad joke. I'm being stalked by someone and I often quickly check the cameras when I'm not home to see what is going on. If I have to 2-step authenticate EVERYTIME with a stupid SMS or email code when I want to check my own camera, that is horrendous and a huge waste of time. For me it is a safety issue. 

 

From what I've experienced with other 'authenticated' devices, the authorised device doesn't stay authorised. Clearing the history wipes out the authorisation. 

 

I won't be enabling the 2-step crap. And if I can't get in after the cut-off date, the cameras will be junked to the bin. A waste of $800.00. 

 

Arlo, you stuffed up the resolution on the cameras to make them nearly useless, and now you want to make it very hard to sign in to them as well? What is wrong with your company that you want to perpetually screw over your customers???

Gene2916
Star
Star

I have been switching my 6 Arlo to Ring and everything is great for me! My opinion is that is Ring is everything Arlo use to be and more!

OttToyBoy
Star
Star

A few days ago I was invited to a conference call with Arlo engineers and management who are responsible for implementing the 2FA solution.  Brevity isn't my strong suit but I'll try to be succinct:

  1. (as you have now seen), they confirmed that 2FA will not be enforced in October -- they are now targeting November.  I believe that this is largely so that they can find a solution for PC access.  Browser authentication was neither working properly, nor persistent.  They are aware of this issue and trying to find a solution that will be acceptable.
  2. As of our conversation, they were not planning to use "cookies" or any other non-persistent method for PC/browser trusted-device authentication (this is a very good thing and at least demonstrates that they understand the problem).
  3. They acknowledge that even with a working "trusted device" authentication, it will eventually need to be re-authenticated and could cause users to need to re-authenticate at the very worst time (e.g. while your house is being broken into).  Although this might only be an annual re-authentication, this should worry users.  I rent vacation properties and, while I was traveling in Africa, I was forced into the yearly 2FA for my account with VRBO.  I was unable to complete the authentication from abroad and was locked out of my account.  Subsequently, I was unable to send critical check-in information to my guests.  The takeaway?  Even if you think the current 2FA authentication is working for you, be prepared for nasty surprises at the very worst time.
  4. One question I had was: "What is the reason this is being pushed on us?"  I suggested that "it is obviously to protect Arlo from legal liability..".    No, they said.  Their position was that this is to protect our data (login information, remote access to cameras, stored video, etc.)  They did reassure that all data is encrypted and there is absolutely no way even for Arlo to access user passwords or user data including video.   So, I call B.S. on their reason for pushing this out.  If it's to protect me from me, then 2FA needs to be a choice, not a mandate.  Despite their answer, I believe this is motivated strictly from a corporate CYA mandate.
  5. I brought up the desire to have local access and not rely on the cloud.  They are aware of this user desire but made no commitment.
  6. I brought up the desire to be able to view video streams from more than one device at a time.  They are aware of this common user request as well but made no commitment.
  7. I brought up that many users are using the Python API (see: https://github.com/jeffreydwalter/arlo) and that the 2FA will likely break this.  They seemed unaware of this and suggested it was probably using non-approved APIs.  I'm not familiar enough with the GitHub API -- perhaps someone else can comment -- does the GitHub API rely on a previously officially published Arlo API?  If so, a strong case can be made that Arlo needs to provide a solution such that this functionality continues to work.  At minimum, I sent them the link to the GitHub repository.
  8. I sent them a link to this forum so that they could read user feedback.  I didn't post for quite a few days after our conversation with hopes that they would address concerns directly.  The engineers I spoke did not seem to previously be aware of this thread.
  9. My own issue was that the iPad we are using would force me to authenticate every darn time I picked it up -- even if I didn't log off.  They said that probably meant I didn't make it a "trusted device".  I still don't quite understand this -- I thought the fact that I went through the 2FA hassle would make it a trusted device automatically.  Apparently there is another step that I missed.  I don't have access to the iPad for another few days to dig deeper but they have offered another call to help me with it if it's not working.
  10. I think that it would be helpful if we in the forum here come up with a list of use-cases that will fail once 2FA is forced on us. (For example, I feel that if I'm forced to re-authenticate at some random time within 365 days, that is a complete failure if I'm using the system for security monitoring due to risk of getting randomly locked out).
  11. Note that the management & engineers that I spoke with seemed entirely competent, understood the technology, were working hard on solutions, and sincerely wanted to solve the issuesdd.  I get the feeling that this whole fiasco is being driven from a higher management who put down an edict "thou shall implement 2FA" when what they should have done was to identify specific threats and problems and use-cases and allow the technical team to find solutions that solve the problems without hobbling the product.  I feel for them.

I'm not sure if the above was helpful at all.... but it captures my interaction with the Arlo team.

 

SCKG
Apprentice
Apprentice

If you read thru the messages you are one of the few to have an actual discussion with Arlo.  Applause!  Applause!

oillogger
Apprentice
Apprentice
  1. (as you have now seen), they confirmed that 2FA will not be enforced in October -- they are now targeting November.  I believe that this is largely so that they can find a solution for PC access.  Browser authentication was neither working properly, nor persistent.  They are aware of this issue and trying to find a solution that will be acceptable.

Sure Hope they do not use the IP address as many of us will use an VPN service.

3. They acknowledge that even with a working "trusted device" authentication, it will eventually need to be re-authenticated and could cause users to need to re-authenticate at the very worst time (e.g. while your house is being broken into).  Although this might only be an annual re-authentication, this should worry users.  I rent vacation properties and, while I was traveling in Africa, I was forced into the yearly 2FA for my account with VRBO.  I was unable to complete the authentication from abroad and was locked out of my account.  Subsequently, I was unable to send critical check-in information to my guests.  The takeaway?  Even if you think the current 2FA authentication is working for you, be prepared for nasty surprises at the very worst time.

I bet it will be at the worst possible time.

4. One question I had was: "What is the reason this is being pushed on us?"  I suggested that "it is obviously to protect Arlo from legal liability..".    No, they said.  Their position was that this is to protect our data (login information, remote access to cameras, stored video, etc.)  They did reassure that all data is encrypted and there is absolutely no way even for Arlo to access user passwords or user data including video.   So, I call B.S. on their reason for pushing this out.  If it's to protect me from me, then 2FA needs to be a choice, not a mandate.  Despite their answer, I believe this is motivated strictly from a corporate CYA mandate.

I also believe CYA and 2FA needs to be a choice!

5. I brought up the desire to have local access and not rely on the cloud.  They are aware of this user desire but made no commitment.

They want the cloud because it generates ongoing revenue. 

8. I sent them a link to this forum so that they could read user feedback.  I didn't post for quite a few days after our conversation with hopes that they would address concerns directly.  The engineers I spoke did not seem to previously be aware of this thread.

Not very believable on their part.

10. I think that it would be helpful if we in the forum here come up with a list of use-cases that will fail once 2FA is forced on us. (For example, I feel that if I'm forced to re-authenticate at some random time within 365 days, that is a complete failure if I'm using the system for security monitoring due to risk of getting randomly locked out).

Maybe a notification 2FA will need to be renewed within the next 10 days so you can renew it at a non critical time.

11. Note that the management & engineers that I spoke with seemed entirely competent, understood the technology, were working hard on solutions, and sincerely wanted to solve the issuesdd.  I get the feeling that this whole fiasco is being driven from a higher management who put down an edict "thou shall implement 2FA" when what they should have done was to identify specific threats and problems and use-cases and allow the technical team to find solutions that solve the problems without hobbling the product.  I feel for them.

Sounds typical. Been there, done that before.

 

Good job!  Thanks for the posting with all of the great information.  At least Arlo listened to you.  It still does not answer why there is not a posting from Arlo on the community site and/or your account of what they are doing about 2FA.

LandJS
Mentor
Mentor

two step verification sucks.  There has not been one day that I could access arlo on my lap top without having to approve a min of three times before it would work.  Today was 10 times and twice told me it was approved and still wouldn't work.  Has Arlo ever done one thing right, there was already to much delay and now it is a nightmare with two step and yes I followed the instructions for both.

Bette99
Star
Star

My use case is very simple, but has not been prominently featured: I do not have a mobile device, so I simply cannot use the 2-step authentication as currently implemented, full stop. It requires a mobile phone number and cannot be activated without it. I have tried to supply a VOIP number, but Arlo checks whether it is in fact a mobile number, so rejects it.

Iaan
Tutor
Tutor

I know this is an extra level of security , However I use the phone for most useage and the bloody system keeps logging me out at the drop of a hat . This would constitute an extra delay in entry and exit 3 and 4 + times a day . I DO NOT WANT OR REQUIRE THIS AT ALL . Kindly do not push this on people thank you .

Iaan .

CCNE37
Apprentice
Apprentice

Gene2916

 

Do you use the modes and schedule feature (or Ring equivalent) to schedule the Ring cameras to turn on and off ?

 

oillogger
Apprentice
Apprentice

Bette99, 

I know your VOIP pain quite well.  I had a suspected credit card charge so it got blocked.  The charge was actually a good one.  To unblock my credit card they would not accept the use of a cellphone or a VOIP phone.  Only a old school phone with a direct line run to the house was acceptable for a phone.  to bypass I had to go thru a lengthy verification process over my VOIP house phone asking a zillion and one questions.  In the end they had verified my complete life history.  All these business now days assumes everyone has a cellphone without exception and that is just not true.  Arlo is making the same mistake.

Dave115
Tutor
Tutor

Does anyone think that the 2-step might be a benefit to Arlo reducing people on their servers?  There is some reason why they want it mandatory!

dcfox1
Master
Master

@Dave115 wrote:

Does anyone think that the 2-step might be a benefit to Arlo reducing people on their servers?  There is some reason why they want it mandatory!


I don't like it either but most of the camera brands have already gone to 2FA or will soon. It is not a conspiracy it is for security. 

oillogger
Apprentice
Apprentice

The cloud provides Arlo with a steady repeating income source instead of the ups and downs with product purchases.  If anything Arlo wants you to purchase more of their expanded cloud services to increase their repeating income source.   Just like all of those free alarm systems after the monthly monitoring charges.

Nanlee
Luminary
Luminary

Is the two part sign in verification really necessary? It is very inconvenient if I check my cameras on my desktop and if my phone is elsewhere have to run and find it to sign in. or vs versa 

dcfox1
Master
Master

As said at the top of this page it will be mandatory after Nov 30.

Nanlee
Luminary
Luminary

 does recognize my desktop computer as trusted

dcfox1
Master
Master

That is because a computer can't be a trusted device just phones per arlo. That is a big gripe in this thread. You will need to to enter the 2FA code sent to your phone. 

MikeLloyd
Guide
Guide

Agreed! Making 2FA mandatory is not going to help us. The only thing keeping me from switching from Arlo to another camera service is the flexibility they offer. Making things mandatory inclines me to switch.

oillogger
Apprentice
Apprentice

I have 2FA turned on and it requires a SMS code.  When I logged into my Arlo account I also notice all recording and last camera image was missing.    I did a live view on one of my cameras and afterwards the last image was present for that camera.  It appears Arlo may have been working on the server and did some sort of reset.  Let's hope it was because they were working on our 2FA issues.

CCNE37
Apprentice
Apprentice

"does recognize my desktop computer as trusted"

 

So, it does recognise, or it is doesn't recognise your desktop ? Not clear here.

 

I am assuming a typo because no-one else has got their desktop to be recognised ?