I am logging in via the web client (apparently for the first time or my token was revoked) and your client is attempting to authenticate me via push token.  The timeout for this is 30 seconds.  I tested my connection :  via terminal ping to www.arlo.com.. 

13 packets transmitted, 13 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 7.882/9.218/10.382/0.665 ms

my device is iPhone X attached to the same network  (wifi) on iOS 13.4.1

I was unable receive any push notification within the 30 seconds required to respond and was unable to authenticate via this method.  Likely your user is on wifi (unless offsite at a hotel or somewhere) I cannot imagine anyone successfully using this verification on a slower connection (dialup, hotspot, 3G, or god forbid Edge).  

Recommendation: Up the timeout period to 5 min.  This is still reasonable security while not letting the verification languish allowing someone to impersonate the user.   30 seconds is quite optimistic IMHO.  

Just my $0.02.  Regards!