Arlo|Smart Home Security|Wireless HD Security Cameras

Mandatory Two-Step Authentication (Verification) a Bad Idea

Reply
ChrisKay
Follower
Follower

Making this mandatory is an exceedingly bad idea since it will slow down authentication and when it breaks—and it occasionally will—it will prevent access completely.  At least give the end-user the option of deciding how much protection to require for the account.

609 REPLIES 609
trembuzz
Initiate
Initiate

I created a 2-step verification but cannot "remove phone number/device" from my.arlo.com as the article suggests. I need to turn off 2-step verification just to be able to login to view my cameras and activate/deactivate them. If 2-step is mandatory after Sept. 2020 i could live with email code but now the phone dings every time I want to login unless I disable the process! W.T.F?

trembuzz

toshiue
Initiate
Initiate

This has to be the worst implementation of 2FA I've ever seen (retired IT Admin, S&P500 corporate).  First of all, every time??  Secondly, I'm not atypical in that both my spouse and I use such from different locations on different devices at different times.  I spent the Spring sequestered in Japan (Covid) as she was stateside.  I see no way your current plans for 2FA would have been anything other than another nightmare in such a similar scenario.  Adding another cumbersome implementation to using your product in such a diverse atmosphere is just absurd.  Before you force this upon us in five weeks, please revisit the issue and institute a workable 2FA.

ant
Mentor
Mentor

Ditto. 2FA should be optional like it had. I was going to try it before 9/30/2020 deadline that I got via e-mail, but it wanted a mobile phone number.  https://kb.arlo.com/000062288/What-is-two-step-verification-and-how-do-I-set-it-up says I can do push notifications and e-mails instead. Where are those options? I don't see it in my my.arlo.com web site account when enabling 2FA.  😞

Thank you for reading and hopefully answering soon.  

ant
Mentor
Mentor

@Tranceblast wrote:
This is what arlos email says:

"By the end of the year, Arlo will require all users to enable two-step verification. We strongly encourage you to enable this feature now for added security."

Sounds like arlo make users to use two-step verification.

Arlo changed its deadline date to to 9/30/2020 from its no_reply@e.arlo.com's 5:06 AM PDT e-mail:

 

"...

At Arlo, our goal is to keep your personal information private and secure—that's why we support industry standards for data protection, like two-step verification.

By September 30, 2020, Arlo will require all users to enable two-step verification: an added layer of account security to verify that it’s really you, even if someone knows your password. Once authenticated, Arlo will verify your identity any time you sign in with a new device, to prevent unauthorized users from accessing your information.
We strongly encourage you to enable this feature now to continue to access to your recordings, devices, and accounts.

Go to your Arlo settings > Profile > Login settings > Two-Step Verification and follow the prompts.

Once authenticated, Arlo will verify your identity anytime you sign in with a new device, to prevent unauthorized users from accessing your information.

To get started, click "Learn More" below.

-The Arlo Team..."


Its "Learn More" link redirects to https://kb.arlo.com/000062288/What-is-two-step-verification-and-how-do-I-set-it-up.

I wanted to enable it, but it wants my mobile phone # 2 SMS me? Um, I don't want that. It said I can do push notifications and e-mails. Where are those options? I don't see it in my my.arlo.com web site account when enabling 2FA.

ant
Mentor
Mentor

@Jimbo435 wrote:

I bit the bullet, and signed up for  2-factor.

So far, only had to put in  a  code once.

Looks like it is just when you use a new device.


So, only phone number for 2FA when enabling it though? It asks for a mobile # 2 SMS.

ChadSmith
Star
Star

@andrewbnz wrote:

As previously mentioned I disagree with the approach Arlo is taking with 2 factor authentication. This should be opt-in or at the very minimum allow trusted devices.

The 2FA changes as they are will make the product/service behave significantly differently than it did when purchased and as a result it will no longer be fit for the purpose for which I purchased this.

 

Fortunately in New Zealand we have relatively strong consumer protection laws (I know Australia also has similar laws). Which provide a level of protection to consumers when purchasing products, this includes guarantees that products and services must be fit for the purpose for which they were purchased.


Exactly. I'm in Australia and will be contacting the ACCC if this goes ahead.

I have already sent a strongly worded email through to Arlo support about this proposed change.

ArloJess
Initiate
Initiate

The pitch is that 2-step verification will only be needed when one tries to logon from a new device. Well, I turned it on and now I have to go through the 2-step process each time I log on from my home PC - and that's without my VPN active. This makes logging on too time consuming, as I don't keep my cell phone on when I am at home. Definitely a bad idea as currently implemented.

EOSJOE
Apprentice
Apprentice

So what steps can we as Arlo customers take?   Can we institute a write-in or email campaign to Arlo stating our objection and that these changes will force us to dump the product and purchase something else?

 

Who should we contact?   It seems obvious they don't read these forums.

 

SCKG
Apprentice
Apprentice

After the Arlo Expert dropped me from the online chat, I requested via the Arlo case name that a manager contact me to discuss if an email option will be available for those Arlo customers, like me who do not use a cellphone/text messaging.  From the comments per this forum regarding the lack of Arlo customer service I suspect that isn't going to happen.

 

I do like the suggestion from a New Zealand user who recommends  checking the consumer protection laws.  I will file a complaint with the Federal Trade Commission/Bureau of Consumer Protection https://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection; the Better Business Bureau; AARP; Consumer Reports and my state senators and representatives if necessary.  This new policy is discriminatory and an unnecessary cost for prior Arlo customers when a cellphone was not required when the product was purchased.  It is a particular hardship for older customers, like me.   I am 70 years old caring for a 76 year old partner.

 

I hope that Arlo addresses these concerns. 

Gerry_D
Apprentice
Apprentice

Well since I really don't "own" my arlo system, it seems that arlo and netgear do, as Now I am forced to use the two step verification where I really do not need it for two outside cameras. I can understand where someone would use a baby monitor or cameras inside their residence might need a two step security login, I'm going to sell what I have and get a different type.

 

1) There is NO way to opt out of this.

2) So what are they gonna do to complicate things if I want to view something from my phone, send me a text message to get a code to log in?

 

3) There used to be a function to notify via a text message if a camera activated, I turned it off after the first month because it was a nuisance, always triggering, once by a bird. Then when I wanted to turn it on to watch for a delivery in COVID-19 conditions, guess what, no longer available.

 

4) This  two step verification will make it too complicated and bothersome.

 

Why, let me give you an example.

I have an account at Blue Cross / Blue Shield. I try to log into "My Blue" but I need a verification code, they send one to my email, I use the six digit code, they say we will remember your computer for four months, I log out, the same day I try to log in again, but no.... they must send me a new code and the same routine and if I try to log in again, the same...

 

Why, to help stop tracking my computer erases cookies and cache every time I leave Firefox.

 

5) It's bad enough that one can not contact anyone at "arlo" but if you have questions, see the forum. Jeepers, they do not support their own products, they rely on forum members to answer questions and sometimes they are wrong!

 

If I can't sell it on Ebay I will trash it as I got my five years use out of it or my money's worth.

 

Retired_Member
Not applicable

Sayonara Sucker (Arlo that is)

got rid of both of my systems and moved on to a much better system

 

BenjiP
Initiate
Initiate

Thanks for this information.  In my app it looks like there is one additional step:

 

Login in --> Settings --> Profile -->  Login Settings --> Two-step verification --> slide switch at top to disable.

 

Later today I will set up two-step and then see if I can disable it.  Sure hope it works because this would basically render this thing useless for my family.  We use Arlo to keep an eye on elderly parents.  Me and my sibs log in to check them at different times of the day.  There's no way to use two-step authentication across several different users since they all have different cellphone numbers.

OttToyBoy
Star
Star

@BenjiP wrote:

... We use Arlo to keep an eye on elderly parents.  Me and my sibs log in to check them at different times of the day....


This is exactly my scenario as well. If 2FA is implemented in any way, our use case will be nullified.  This *needs* to be a user choice otherwise our Arlo devices will become landfill.  (If anyone can recommend a good alternative [in our case needs to be wireless, able to be battery powered for short periods, viewable by multiple people, motion sensing], please post here...)

 

Also to folk who have mentioned that they've been able to 2FA their devices just once, I suggest it might be because you are not following other best-practice security protocols (such as clearing browser cookies and other tracking data after each session or blocking them from the start or you're not logging off your device when not in use, etc..)  Ironically, those of us who already go the extra mile to secure our devices and systems might be most affected by this 2FA requirement forcing us to loosen our otherwise excellent device security just to accommodate Arlo.

 

SCKG
Apprentice
Apprentice

I just filed a complaint with the Federal Trade Commission Bureau of Consumer Protection as well as the Better Business Bureau.  Arlo Technologies has an F Rating with the Better Business Bureau...

 

To file a complaint with the Federal Trade Commission Bureau of Consumer Protection:

https://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection

 

To file a complaint with the Better Business Bureau:

https://www.bbb.org/us/ca/san-jose/profile/not-elsewhere-classified/arlo-technologies-inc-1216-12796...

 

The Arlo Technologies company profile information to file the FTC complaint can be found here:  https://www.bloomberg.com/profile/company/ARLO:US

 

 

 

 

 

 

nealhayden
Star
Star

SCKG - Thank you for providing these links.  I just filed a complaint with the FCC and BBB.  Hopefully, this will get Arlo's attention.

nsleigh
Guide
Guide

I thought I'd try 2FA - I am in the UK the SMS message takes forever to arrive, if it arrives at all. Anyone else see this?

I really hope this doesn't become mandatory.

YaquinaHead
Initiate
Initiate

As I purchased my system on Amazon, I just went there and gave a One-Star review and warned buyers to review this forum about Two-Step Verification prior to purchase.  Typically, amazon reviews of on;y one star does get the sellers attention.

SCKG
Apprentice
Apprentice

Thanks for posting the Amazon review!  I purchased my cameras on Amazon and I will follow your lead.

Chris67
Luminary
Luminary

This is NUTS Arlo. A complete fiasco AGAIN. Everytime you implement a change, you stuff it up. Having 2-Step Verification every time I log in from my desktop is impractical. My Windows desktop should be able to be identified as a trusted device. I already have had to log into windows with a security code so my DESKTOP IS SECURE.

MarkBC
Initiate
Initiate

It appears that you are making this requirement mandatory at the end of September.  Fine as an option, but PLEASE don't make it a requirement.  From my perspective it is not needed and I don't want it.  

Bakker
Initiate
Initiate

Totally agree Chris K... this is a total pain in the ass...don't tell me that every time I need to activate my cameras I will have to wait for a SMS to my mobile...NO WAY.      Sometimes I an in remote locations with no wi fi or mobile signal.

If this is the case will be dumping ARLO and seeking alternative.. totally ridiculous and over reaction to security risks which I can cover off myself with out all this over kill.

CPARCELS
Initiate
Initiate
Is anyone from Netgear listening? Two step is a bad idea. I’ve tried it and it frequently fails to recognize my “trusted” device, and I have to set it up all over again. I would like to opt out. But I don’t suppose Arlo cares.
Ibcruzn
Guide
Guide

You're right Bakker, it is over kill. We turned it on, can't use it if it won't maintain the "trusted devices" as a part of our profile record with Arlo. We have family members that monitor the activity on our three camera's throughout the day and we should only have to set up "trusted devices" once, not every time anyone logs in. We have now turned this "exhausting new feature" off. It is painfully obvious that the term "fully tested" may be confusing for someone that has a Software Engineering Manager breathing down their neck to get the latest update released as the new release is one of that departments performance parameters on the books with their CIO. We thought we would be safer by installing your nifty Arlo camera's, but apparently your Board of Director's are more interested in their "performance parameters" than our collective safety. We no longer feel safe.

MarkBC
Initiate
Initiate

Every time I sign in from my secure desktop a new code required, BS.

natwyatt
Initiate
Initiate

I'm another person that uses the Arlo API. If that breaks with two-step authentication I'll drop Arlo and move to a RaspberryPi based solution.

 

It seems strange, normally a company would jump at the chance to build brand loyalty and create stickiness by opening up the platform.  Really surprising that this 173 message thread has zero response from Arlo addressing the community's issues. Not a confidence builder.