Arlo|Smart Home Security|Wireless HD Security Cameras

Mandatory Two-Step Authentication (Verification) a Bad Idea

Reply
ChrisKay
Follower
Follower

Making this mandatory is an exceedingly bad idea since it will slow down authentication and when it breaks—and it occasionally will—it will prevent access completely.  At least give the end-user the option of deciding how much protection to require for the account.

609 REPLIES 609
tibert
Star
Star

Attempting to reinstate this thread as it appears the moderator gave only a short window for confirmation that the existing issue was resolved. See the original thread that has now been closed. It should not be closed. I also see the symptoms of what i list below in prior closed postings going as far back over a year ago.

I took the plunge today and activated 2FA to the device. However

(1) There is a significant lag in the system and too short of a timeout (20 seconds is arbitrary) and times out before I get a notification on my phone. You can try to fix to reduce the lag further, but the Internet is not under your control. Why not at least increase the timeout to 1-2 minutes?

(2) Each Chrome session I perform in Arlo requires me to "authenticate" my PC again. It appears either there is a bug that does not maintain state between sessions (I have cookies, etc. enabled and I do not have an issue with any other company site I use), or that there was a policy/intent to require this via the web. Either way, this forces one to have to be tethered to their phone to use their home PC, defeating the purpose of many reasons why one would be using the web page anyway. Please fix this.

(3) While activation via your iOS (and I'm assuming Android) app(s) requires one to re-log in to your app each time. Why not propagate a code via the notification so one can see it come through on the device without having to manipulate it? It is what other internet companies do. On older devices having to unlock one's phone and start the Arlo app is time-consuming and unneeded.

Please help

CCNE37
Apprentice
Apprentice

I am happy to be corrected, but I don't think there is any link between Netgear and Arlo currently. Netgear used to be own (or be parent company to) Arlo, but that ceased a while ago, and since Arlo went it alone things have gone downhill fast.

 

When Netgear was involved everything was better - quality, support, updates actually worked, no underhanded dodgy behaviour. All of these things started after the split.

dcfox1
Master
Master

You are correct Arlo spun off from netgear a couple  years ago.

Gene2916
Star
Star

That is when the quality of the service fell apart!

Dz0
Guide
Guide

I am one of those geeks.  I work in cybersecurity for a Fortune 50 company.  Using ONLY SMS or email as a the only mandatory MFA options makes security worse, not better.  SMS authentication is just opening the door to whomever wants to see your cameras that  bad, and the 'geeks' as you put it did not recommend this.  Arlo's legal team did thinking that it absolve them of any liability related to anything relating to account compromise.  And since Arlo outsources everything to India including customer help and development, this solution was of course half baked and put in front of customers.

 

You MUST backtrack on mandatory MFA until you implement the option to use an authenticator.  Period.  Or, offer full MSRP refunds to people who bought Arlo and don't want to open their account to this weak security posture.  

Dz0
Guide
Guide

Also, opening a Arlo ticket wont do anything.  When you open a ticket, you're forwarded to someone in Bangalore who is paid pennies to read from the user manual and tells you to try and and all steps even if it's completely unrelated to the problem.  This is another sore spot for Arlo.  You complaints will never reach executive management because that person's boss is paid to ensure your complaints never make it back to the San Jose executive offices.

 

Instead, try contacting these folks directly: https://investor.arlo.com/governance/management-team/default.aspx

MikeBravo
Luminary
Luminary

Comcast and Dell, among others, had been doing that for years until recently when viewership and sales began to drop nto to mention the FCC began to sniff around and they've since improved somewhat.

 

Perhaps Arlo will feel the same sting and change.

Stephanoochi
Guide
Guide
I've sent off an email but I'm sure they won't respond since I'm thinking they may have planned this. They probably want to be able to do a bankruptcy thing and not have to deal with paying back customers for the security equipment they paid for.
I don't think they really care
dcfox1
Master
Master

Guess it's 5 o clock somewhere. 

Gene2916
Star
Star

I am very disappointed in Arlo. They easily leave to turn on or off 2 step so their customers could easily choose according to their needs. Also stopped working all my Alexa several days ago, I wonder if that could be part of  2 step as well. I am thinking about taking down all my Arlo cameras and switching to Ring I already have the Ring doorbell and it never gives me any problems.

oillogger
Apprentice
Apprentice

The Alexa issue could be IFTTT reducing your number of free IFTTT apps to no more than 3 unless you purchased one of their plans.  As a result I loss all of my battery notifications and the ability to watch any Arlo camera with my Echo Show.

 

You would think the various companies whose products can be utilized with IFTTT would fully financially support IFTTT without placing any burden on the consumer of their products for typical consumer use load.  IFTTT allows devices from different manufactures to communicate and be controlled greatly expanding the potential utilization of their products which is an significant selling point.

Wrennie
Initiate
Initiate

Agreed.

The slightest delay in wireless signal or email means I cannot sign into Arlo on my computers.  The two step verification requirement every time I sign in on my computer is making Arlo useless for security as I cannot see someone breaking in in time to call the police.

I was going to purchase more Arlo cameras last winter but decided to wait to see if this problem is fixed.  All users bothered by constant authentication verifications need to let Arlo know you won't be buying more cameras.  It looks like Frontpoint and Simplisafe will be gaining customers.

SCKG
Apprentice
Apprentice

The Arlo customer representative in the California office promised to forward these issues to the Arlo technical support department.  This was in response to one of the two complaints I filed with the Better Business Bureau.  I haven't received any further communication from Arlo.  I did receive the response from the BBB who are marking the case as UNRESOLVED.  Complaints to the BBB does affect their customer rating.

 

"We have received your most recent correspondence in the above-mentioned complaint case.

You have indicated that you are NOT satisfied with the business' response in the matter.

The business has not made any further concessions to their original response.

Unfortunately, BBB can not pursue the matter further. This complaint case is now considered closed UNRESOLVED.

BBB develops and maintains Reliability Reports on companies in our service area. This information is available to the public and is frequently used by potential customers. The company's level of cooperation in resolving to this complaint becomes a part of their file with BBB."

oillogger
Apprentice
Apprentice

SCKG, you did accomplish one point with your BBB reporting.  Documented display of lack of concern by Arlo for their customers.  Thank you for your efforts!

 

Most perspective customers will research a product costing several $100s before purchasing it.  From all of the bad noise from Arlo's current customers it appears Arlo's image is fast fading and will impact their sales.  With decreased sales less employees are needed.  Business 101.

SCKG
Apprentice
Apprentice

Thanks oillogger, much appreciated!  Stephen

MrEricM
Tutor
Tutor

@tibert wrote:

(2) Each Chrome session I perform in Arlo requires me to "authenticate" my PC again. It appears either there is a bug that does not maintain state between sessions (I have cookies, etc. enabled and I do not have an issue with any other company site I use), or that there was a policy/intent to require this via the web. Either way, this forces one to have to be tethered to their phone to use their home PC, defeating the purpose of many reasons why one would be using the web page anyway. Please fix this.


This is my main problem, and why I came here today to express my dismay. I do appreciate the requirement for the extra security, but it needs to be done right.


The delay (and it is a lot more than other SMS-based authentication services) isn't a big deal if I didn't have to do it EVERY TIME for EVERY 'NEW DEVICE', which, for some reason, a new
tab on an already authenticated device needs to be completely re-authenticated. I really don't understand why it can't save a device, even my bank site that seems to be stuck in 2010 can remember a device for about 3 months.

 

And it would be a little bit better if it supported TOTP, at least that way I'd be able to get a code within a few seconds vs. 20s... 30s.. 40s.. still waiting... 50s.. OH THERE IT IS! Logged in... Hmm. nothing there in the live view for the push alert I got about 45s ago.

 

To be clear, this is unacceptable and it's awful that this unfinished system is being required in less than 2 weeks. I hope it gets improved (but really, it hasn't been improved much in the past 6 months...).

SCKG
Apprentice
Apprentice

I just received this reply from the 2nd complaint with the Better Business Bureau.  The engineering team is reviewing the possibility of registering for 2FA with email only and not a cellphone.  Will keep you posted...

 

Hello Stephen,

 

Good day!

 

I will update you right away once our engineering team provides a recommendation and/or update.

 

Thank you


Louie Ordanza
Customer Care Advocate
Arlo Technologies, Inc.

MikeBravo
Luminary
Luminary

Louie,

 

That's not going to cut it. Like millions of people, my e-mail comes through Comcast and their e-mail is notoriously slow. 

For the short time we were forced to use 2FA earlier this month, the 2FA login would time out before we received the e-mail and we couldn't view our cameras at all until we figured out how to turn it off.

 

You folks still aren't getting it. 

 

I have yet to hear one user here say that when they go to access their cameras live that the camera view comes on line instantly. Rather, you've have thousands upon thousands of complaints that it takes far too long, up to a full minute often FOR EACH CAMERA and much of the time the live request times out.

 

This is still the case and hasn't changed in years!

 

We still don't understand why this is beng forced upon us and why you can't provide any data that ilustrates a significant issue with unauthorized logins. 

 

If you can't because there is no data, then stop this needless added extra step for an already cumbersome and ineffectve process-----or fix it!

oillogger
Apprentice
Apprentice

SCKG, real glad to know they are still looking into this or at least saying they are.

 

MikeBravo, how about a security question instead?  One or a group of them random like a lot of sites.  Can even have only one that has to be changed every month or so.  I always wanted be be able to create my own security question and answer.  Arlo could require your choice of email or SMS only when setting up or editing the security question. 

LynnT22
Initiate
Initiate

I totally agree.  This should be an option not mandatory.  I already have a security system in place that monitors the cameras, all this stupid two-step crap has done is slow it down to see what's going on outside my house.  We are very unhappy with this.  All this is doing is putting us in danger of being broke into because I have to sit at my desk and go through a ritual just to see who is outside my window.  By the time I go through all this crap they will be in.  If this does not change we will be investing in a friendlier camera setup with another company.  

MikeBravo
Luminary
Luminary
 

 

 
oillogger 
 

 

 
Apprentice

SCKG, real glad to know they are still looking into this or at least saying they are.

 

MikeBravo, how about a security question instead?  One or a group of them random like a lot of sites.  Can even have only one that has to be changed every month or so.  I always wanted be be able to create my own security question and answer.  Arlo could require your choice of email or SMS only when setting up or editing the security question. 

 

While there is no fundamental problem with a security question, it doesn't resolve the underlying problem of Arlo's never resolved issue of lag. We have Xfinity and we normally zip along at the full 300-350 Mbps  and except for a few problem sites (like Arlo) usually webpages for us open almost instantly.

 

However, Arlo has a special speed limit and it often takes up to fifteen full seconds after enteirng our login and password before the web portal loads.  Then of course, is their legendary, infamous lag going live which to this day still can take up to a full minute and still can time out without connecting-----usually at the worst possible moment.

 

I honestly believe that anyone who hacked our system would soon become so annoyed that they would quickly move on out of sheer frustration. 

 

Finally, we have multiple sites saved that require security questions and usually have to look them up before logging into a particular site.

Nanlee
Luminary
Luminary

I find this very annoying, arlo on my  desktop and phone

TomMac
Guru Guru
Guru

200% agree....

 

Most of my testing is done on the PC and I shouldn't need my phone with me... It should recognize the PC as a trusted device

--------------------------------------
Morse is faster than texting!
--------------------------------------
Nancy_L
Apprentice
Apprentice

I sent a snail mail to Matthew McRae at Arlo in September about the PC trusted device issue and this was his emailed response to me:

 

_____________________________________________

 

-----Original Message-----
From: Matthew McRae [mailto:matt@arlo.com]
Sent: Wednesday, September 30, 2020 12:07 PM
To: XXXXXXXXX.com
Subject: Your letter

 

Just a quick note to let you know I received your letter.  The team is working on the browser support for 2FA now - we are waiting for our backend provider to support the various browser implementations but some versions are already in test.  Our goal is to deploy compatibility within 90-120 days however the exact timing will depend on successful testing across environments.

 

I appreciate your note and want you to know the teams are working hard on this and several other performance enhancements.  Thank you for being an Arlo customer.

 

Matt

MikeBravo
Luminary
Luminary

Thanks for sharing this with us.

 

Its both astonishing and breathtaking in its arrogance that they would boldly tell you that their stuff is not nearly ready for prime time-----but they're just going to do it anyway. 

 

After all, they already have our money, know that many, if not most of us, can't merely dump their junk and start over, so why should they care if what they do hurts their subscribers, right? 

 

I love that 90-120 day crap. Can you imagine th cruise liner captain saying, "Yeah,  I know we're taking on water, the toilets don't work, and the kitchen isn't finishe being built yet so there's no  food----but we expect to  have all that fixed up in 90-120 days!"

 

I can't decide if their a bunch of ignorant hillbillies playing around with tech or if they're just plain evil.