Arlo|Smart Home Security|Wireless HD Security Cameras
× Arlo End of Life Policy Notice
To view Arlo’s new End of Life Policy, click here.

Reply
ChrisKay
Follower
Follower

Making this mandatory is an exceedingly bad idea since it will slow down authentication and when it breaks—and it occasionally will—it will prevent access completely.  At least give the end-user the option of deciding how much protection to require for the account.

1 ACCEPTED SOLUTION

Accepted Solutions
JessicaP
Arlo Employee Retired

As part of our efforts to continually evolve and further strengthen our privacy and security practices, Arlo will now require all users to use two-step verification when logging into their Arlo account. Over the next 10 days, users who have not enabled two-step verification will see a countdown notification to complete set up before logging in to their Arlo accounts. This new security mandate will go into effect for all users by April 18th, 2021.

 

While Arlo has strongly encouraged its users to enable two-step verification since its introduction, Arlo believes requiring this added layer of security is yet another measure we can take to help our users safeguard their accounts and their data.

 

We appreciate all of the feedback provided so far for two-step verification and will continue working on enhancing the two-step verification experience in the future.

 

For more information on how to set up two-step verification, please visit the following article: What is two-step verification and how do I set it up?

 

-Arlo Team

View solution in original post

609 REPLIES 609
Retired_Member
Not applicable

As suggested in the recent email, I set up two-step verification on my Android phone. But every time I log in from my desktop and laptop, I have to go through the authorization. There is no way to make them trusted devices. I cannot understand why this is so difficult. I will be turning off the two-step until this is resolved.

 

Instead of implementing a poorly executed security method, it's time to get rid of Flash in the browser!

TomMac
Guru Guru
Guru

Having issues too with SMS, but email works.

But every time , come on!

But, to be honest, I'm not going to use email every time I access via the web... it's a pain ( since I do 80% of access via web )

--------------------------------------
Morse is faster than texting!
--------------------------------------
ksss11
Luminary
Luminary

I just read the email about the 2step verification and did it.  

Does anyone know if I am going to have to do this EVERYTIME we sign in? Seems like it will be a BIG time waster when you need to get on in a hurry.  Our phones are not conjoined to our bodies like most people these days and seems like this is going to be an unnecessary hurdle to jump when we need to go 'live"  quickly.

SJohannsen
Apprentice
Apprentice

While 2FA is a worthwhile addition, the current implementation, once required, will make Arlo useless at work for me. Ring has already made it mandatory, and has ruined Ring for me. Here's why.

You can have a code sent via text. I work on a secure enclave and cannot have my cell phone in the building at all, so this is not an option.

You can have a code sent to your registered e-mail. This is of course my personal e-mail, and this is blocked at work for security reasons. I cannot access my personal e-mail. (keeps people from clicking bad links in their e-mail. Work e-mail is highly filtered)

So, I will no longer be able to access Arlo at all from work. 

There are options that could be implemented. 1) offer to use a different verified phone number, but the code would have to be delivered via voice.  Synthesized is fine. 2) Allow additional e-mail addresses to be entered and selected. This would not let me enter any e-mail, just select from 1 or 2 that were pre-vetted. Some systems even ask for the e-mail and then compare it to any on file. If it matches one the code is sent there. 

Without one of these additional options, when 2FA becomes mandatory, Arlo will be useless to me for the majority of the day. 

 

I can tell you I am not unique in not being able to have a cell phone, or access personal e-mail at work. 

Kevin_In_Ky
Tutor
Tutor

Clearly they have rolled this out before its been fully baked.  I too get prompted to verify two step verification every time.  Its not saving my device.  Please fix this before you force everyone to 2 step.  I want to use it, but will turn it on after you have fixed the defect.

 

 

Schemer
Initiate
Initiate

Two-step verification is a great security measure for many applications, but will be very problematic for some Arlo users like myself. Unless you can set the verification up so that more than one device receives the code, this will not work for many people. Most households have more than one person in them who need awareness when a device detects movement. Same-account users in different places at the same time need to all be able to see the code, or this will not work. Not a great solution for this tech unless you can set the account up to send the verification code to more than one device.

TomMac
Guru Guru
Guru

Several threads on this, here's one;

 

https://community.arlo.com/t5/Community-Feedback/Two-step-verification/m-p/1760890#M4454

--------------------------------------
Morse is faster than texting!
--------------------------------------
storgeman
Apprentice
Apprentice

Yes this is a waste of time.   For example on my PC, I have to login TWICE to get get logged in once.  Why, Arlo still requires the use of Flash player, which all modern day browsers require permissions to use Flash Player.  That means I log in select permission to use Flash Player, I get logged out immediately and have to log in again to actually start a live recording.   Now with 2step verification, I will have to receive 2 authorization codes before I can get logged in.  

 

Sad state. 

 

StephenB
Guru Guru
Guru

@ChrisKay wrote:

Making this mandatory is an exceedingly bad idea 


I agree, and I hope they reconsider.

StephenB
Guru Guru
Guru

I think mandatory 2FA is a mistake (even if they actually get it to work properly).

ksss11
Luminary
Luminary

yes this is not user friendly anymore.  My bank and some other sites automatically register this device just once and I do not have to do this.

Puterwade
Initiate
Initiate

I agree. When on my iMac, and want to see a camera quickly, this 2 step stinks. On my iPhone, I can use face recognition but not on the iMac. I don't like this.

Chris53
Initiate
Initiate

I had to disable 2 step because Arlo required using every time. I will be replacing Arlo with Simply Safe if this problem is not fixed by the time the roll out at the end of the year.

jimmccabe
Initiate
Initiate

I agree strongly.  I'm a huge fan of 2FA but am really disappointed by the Arlo implementation.  I was excited to enable it this morning but turned it off after 30 minutes or so because it is really flawed.

 

  • Everyone seems to be in agreement that the main flaw is that the web-based login requires you to re-authenticate every single time.  That's a nuisance because the sessions are so short-lived.  For example this morning I logged in, left the tab for a little while (roughly 15-20 minutes) and the session was already expired.  The solution is to identify the device (app, browser, etc) as "trusted" for some period like 30 days.
  • It's also problematic that the primary 2FA approach is SMS, since that's known to be easier to hack than other approaches (like Authy / Google Authenticator / etc).

 

If Arlo keeps makes 2FA mandatory without fixing these problems, I will definitely consider replacing our Arlo cameras with more Simplisafe cameras (we have a mix of both).

MichaelUrs
Star
Star

Please:

 

Let the users decide, if they want to have 2FA or not. In addition to the arguments listed already in the messages before, I have integrated my Arlo Cams and Lights into my Home Automation system by making Web calls against the Arlo API. I know that this is a use case which might not be officially supported, however it is working great and it is one of my reasons to use Arlo and not another cam. Certainly a mandatory 2FA will break that integration as I cannot log in unattended. Maybe, some kind of application password might solve that issue (as it is normaly done with other providers using 2FA, like e.g. Google etc.)

 

The other reason is that it is time intensive if you need to put in your second factor every time you login. And you always need to be able to receive the second factor so what you are doing if you want to login from a remote computer without having access to your smartphone?

 

It really would be a bad idea to force users to use 2FA, so PLEASE re-think your decision again!

 

Thanks!

 

JohnV81
Initiate
Initiate

2FA is a good idea as we need to be secure. However, most systems that require 2FA also have a way to get a device (or app) specific passcode that can be entered and used without having to re - enter it every time.

Please add this functionality before this is mandatory.

 

BP2
Initiate
Initiate

Mandatory 2FA is a bad idea.  Here's why;

 

I have a growing wireless camera business.  When time matters, 2FA hinders a response.  For example, when viewing an active situation of any kind (fire, water damage, etc.) or equipment failures (HVAC, chillers, boilers, etc); taking time to execute 2FA will delay and possibly inhibit a response.  Business clients prefer simplicity over two-step verification; They want live video that's easy to access.  Mandatory 2FA is not that.  As such, we would drop Arlo because of this.

 

Further, I don't see a need for simpler use cases.. a simple construction site or animals in the wild (Arlo Go website).  We should have the option; but a blanket requirement puts undue hardship on users.  If you purchase a house, your not required to install 5 locks on your front door.  It's your house, you secure it how you want.  Same applies for cameras and portals purchased from Arlo.

 

I have demand for many Arlo cameras.  In the end, I'll have to switch to another solution; turning down all Arlo wireless devices and LTE coverage tied with it, and request refunds as this isn't what was originally promoted. 

 

Arlo is a broad spectrum and multi-use.  This would put financial hardship on my business. Please reconsider mandatory 2FA.

 

Thanks.

 

k_glasik
Initiate
Initiate

I agree mandating 2FA is a bad idea. 2FA is generally good and Arlo can implement it BUT I believe accounts should have the ability to turn it off or Arlo should support 'app passwords' like Google and most other 2FA providers do. If this becomes mandatory my family will lose much of the benefit of Arlo's flexibility.

 

If this gets implemented I will need to cancel my Arlo smart subscription. 

friuliveneto
Initiate
Initiate

"Bad Idea" is an understatement.  With the Flash run around it takes me a couple of minutes to check a camera. I try to log in, but have to authorize Flash *each* *time* and that makes it so that my session expires and I have log in again and wait for an authorization code again.  What a mistake.

BobNa
Initiate
Initiate

I like to check my home security when I am away from home on a cruise. There is of course no mobile phone reception at sea or at many ports of call. Cruise ships use satellite internet which is both slow and expensive. Even waiting for an email to arrive could be a lengthy and expensive exercise. Arlo worked efficiently and did exactly what I wanted - provided reassurance that while away my home is secure. Now with 2 step id it is unlikely that I'll be able to establish a short session anymore to check my home cameras.

Bette99
Star
Star

Just tried to enable 2FA. Based on the article explaining the method, I assumed I could just use email, But I can't enable without providing a mobile phone number. Why, if email is an option? I do not have a mobile phone number (and wouldn't want to give it to Arlo if I did).

DominoUK
Star
Star

I am very angry at this decision. I tried it the other day and was dismayed at how badly 2FA has been implemented, so I turned it back off.

 

Firstly, no authentication apps? Why only SMS? That's terrible!

 

And why can't we save a device so we don't need to authenticate again (even if it's for 30 days or something?). I use the web app a lot, especially while at work, to check on alerts, so if I have to 2FA authenticate every single time, it's going to be a real pain and slow me down a lot. I just won't put up with this.

 

I hope this is improved by the end of year (when it becomes mandatory), but I'm not holding out hope considering the web app has gotten slower since its last update and is still reliant on Flash. Seriously, it's 2020. Get your act together, Arlo!

 

I will no longer recommend Arlo to friends and family until this is improved, and I may have to look at an alternative security system next year now 😞

Tranceblast
Star
Star
I really hope that arlo reconsider 2FA... If not, I will get rid of all my cameras.. Really bad idea to not let user decide for themselves...
Tranceblast
Star
Star
This is what arlos email says:

"By the end of the year, Arlo will require all users to enable two-step verification. We strongly encourage you to enable this feature now for added security."

Sounds like arlo make users to use two-step verification.