2FA support

[alexeyvasilyev]

Got Arlo's that said "Two-step verification is an added layer of account security to verify that it's really you, even if someone knows your password. By the end of the year, Arlo will require all users to enable two-step verification. We strongly encourage you to enable this feature now for added security"

At the moment 2FA is not working for these Arlo python scripts.

What version of Python are you using (python -V)?

Python 3.7.6

What operating system and processor architecture are you using (python -c 'import platform; print(platform.uname());')?

uname_result(system='Darwin', node='PC', release='19.3.0', version='Darwin Kernel Version 19.3.0: Thu Jan  9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64', machine='x86_64', processor='i386')

Which Python packages do you have installed (run the pip freeze or pip3 freeze command and paste output)?

arlo==1.2.33
certifi==2019.9.11
chardet==3.0.4
idna==2.8
monotonic==1.5
PySocks==1.7.1
requests==2.23.0
six==1.12.0
sseclient==0.0.22
urllib3==1.25.6
virtualenv==16.7.8

Which version of ffmpeg are you using (ffmpeg -version)?

ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
built with Apple clang version 11.0.0 (clang-1100.0.33.16)
configuration: --extra-cflags=-fno-stack-check
libavutil      56. 31.100 / 56. 31.100
libavcodec     58. 54.100 / 58. 54.100
libavformat    58. 29.100 / 58. 29.100
libavdevice    58.  8.100 / 58.  8.100
libavfilter     7. 57.100 /  7. 57.100
libswscale      5.  5.100 /  5.  5.100
libswresample   3.  5.100 /  3.  5.100

Which Arlo hardware do you have (camera types - [Arlo, Pro, Q, etc.], basestation model, etc.)?

Arlo Camera, Arlo Base Station

What did you do?

Enabled 2FA support on Arlo app (Settings - Profile - Login Settings - Two-Step Verification - Enable=true).

What did you expect to see?

python arlo-streamingvideo.py
ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
  built with Apple clang version 11.0.0 (clang-1100.0.33.16)
  configuration: --extra-cflags=-fno-stack-check
  libavutil      56. 31.100 / 56. 31.100
  libavcodec     58. 54.100 / 58. 54.100
  libavformat    58. 29.100 / 58. 29.100
  libavdevice    58.  8.100 / 58.  8.100
  libavfilter     7. 57.100 /  7. 57.100
  libswscale      5.  5.100 /  5.  5.100
  libswresample   3.  5.100 /  3.  5.100
Input #0, rtsp, from 'rtsps://vzwow42-z1-prod.ar.arlo.com:443/vzmodulelive/5EM28975A2C12_1583845297713?egressToken=d0ca19d6_ade1_4852_aaf3_5235fe5c9266&userAgent=iOS&cameraId=5EM28975A2C12_1583845297713':
  Metadata:
    title           : 5EM28975A2C12_1583845297713
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Audio: aac (LC), 16000 Hz, mono, fltp
    Stream #0:1: Video: h264 (High), yuv420p(progressive), 1264x704, 24 fps, 100 tbr, 90k tbn, 48 tbc

What did you see instead?

$python arlo-streamingvideo.py
401 Client Error: Unauthorized for url: https://my.arlo.com/hmsweb/login/v2

Does this issue reproduce with the latest release?

Yes

[jeffreydwalter]

I don't really think there's going to be a solution to this.

[jeffreydwalter]

I just enrolled in 2FA and the only possible solution I see is to configured 2FA to use email, then write some code that gets the 2FA code from your email and sends it to the Arlo API. Of course, this library does not support that currently.

[m0urs]

This is really a very bad decision by Arlo as it will break all kind of external automation together with the Arlo cams. We really should send them many mails and comment in the forums so that they at least will either make it not mandatory or provide a kind of application passwords as it is done with other providers.

[jeffreydwalter]

Yep, unfortunately, that's our only recourse.

[m0urs]

So, let's tell them ... https://community.arlo.com/t5/Arlo/Mandatory-Two-Step-Authentication-Verification-a-Bad-Idea/m-p/1760890#M4454

[m0urs]

Jeffrey, I tried to play with the 2FA and Python as I do have the possibility to receive SMS with my Raspberry where my Home Automation system is running and thought, maybe I would be able to read that SMS and use it for login via Python.

The 401 error which is currently thrown is because the Login call tells us:

{'error': '1900', 'message': 'To access your account, please download our new Arlo app or disable two-step verification.', 'reason': 'Please update to the latest version of this app, or deactivate Two-Step Authentication on your account, to login on this device.'}

So for me it seems that the API calls have changed to a somehow newer version which supports both 2FA and non-2FA.

How did you get all the the information about which GET/POST requests are used by Arlo? The calls made by the web browser seems to be totally different from the requests made by the Python script.

So I am bit lost now. Maybe you can help me a bit so that I can continue playing. Thanks!

[jeffreydwalter]

@m0urs I use the Network tab in Chrome's developer tools.

They have new auth endpoints, which this library isn't updated to use yet:
General:

Request URL: https://ocapi-app.arlo.com/api/auth
Request Method: POST
Status Code: 200 
Remote Address: 104.18.30.98:443
Referrer Policy: no-referrer-when-downgrade

Request Headers:

:authority: ocapi-app.arlo.com
:method: POST
:path: /api/auth
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
auth-version: 2
content-length: 125
content-type: application/json; charset=UTF-8
cookie: __cfduid=XXXXXXX; __cfruid=XXXXXXX-XXX; 
dnt: 1
origin: https://my.arlo.com
referer: https://my.arlo.com/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
source: arloCamWeb
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

Request Body:

{email: "jeffreydwalter@gmail.com", password: "XXXXXXXXXXXX",…}
email: "jeffreydwalter@gmail.com"
password: "XXXXXXXXXXXX"
language: "en"
EnvSource: "prod"

Response Headers:

access-control-allow-credentials: true
access-control-allow-origin: https://my.arlo.com
cf-cache-status: DYNAMIC
cf-ray: 572f685e38e37ada-MCI
content-encoding: gzip
content-type: application/json; charset=utf-8
date: Thu, 12 Mar 2020 17:59:12 GMT
etag: W/"25a-ic0uE7Ob0UwLOmICOdCpZMQlp4Y"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
status: 200
strict-transport-security: max-age=15552000; includeSubDomains
vary: Origin, Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

Response Body:

{"meta":{"code":200},"data":{"_type":"AccessTokenV2","token":"XXXXXXX-XXXXXXX-XXXXXX-XXXXXXX-XXXXXX-XXXXXXX","userId":"XXX-XXXXXXX","authenticated":1584035951,"issued":1584035951,"expiresIn":1585331951,"mfa":false,"authCompleted":true,"type":"USER","MFA_State":"ENABLED"},"domain":"ocapi-app.arlo.com"}

[m0urs]

Thanks, so I was on the right way ... Guess I need to some try and error now ;-)

[m0urs]

After that there is a "GET https://ocapi-app.arlo.com/api/validateAccessToken?data = XXXXX' where "XXXXX' is the value from the field 'authenticated' from the request above.

This requests fails :

Request (GET https://ocapi-app.arlo.com/api/validateAccessToken?data%20=%20XXXXX) failed: {'meta': {'message': 'Access token is invalid', 'code': 400, 'error': 9022}}

I guess because I am missing the correct value for the "Authorization" header variable. It seems that this is NOT the value from 'token' (starting with "2_") which we get from the first request but something which looks totally different and starting with "Ml9":

Authorization: Ml9vaG13NnJ6SDZBOTBTbW9V......lFdzllZWdS

I have currently no idea where this value comes from or how to calculate it from other fields. Maybe it is some kind of hash of the token.

Maybe someone from the community can do also some tests here and give me a hint from where this "Authorization" header is coming.

The password for the new API is also somehow hashed (but this would not be such a big problem).

[death2all110]

@jeffreydwalter Are there any plans to update the library with the new endpoints? This hasn't worked for me for a while, and I'm honestly not sure where to begin with doing it myself and doing a pull request.

[m0urs]

I am currently playing around with it a bit. However, I cannot promise that this will lead to a positive result ;-) - and I cannot tell you about a time frame.

[m0urs]

Maybe Arlo will not set 2FA mandatory as they had communicated up to now. If I understand that support chat correctly we still would be able to choose:

https://community.arlo.com/t5/Arlo/Mandatory-Two-Step-Authentication-Verification-a-Bad-Idea/m-p/1762753#M74989

However: Since 2 days I am unable to use the old authentication mechanism even without 2FA enabled with my accounts :-( I tried to re-write the code so that it is using the new API but I am not yet successful. Seems that we now also need to consider the cookies in all requests. Still trying to get it working, however it is try & error as I am not really a Python programmer ;-)

[katzenbaer]

Is there OAuth implementation support without 2FA? Looks like they've removed the v2 API ahead of requiring 2FA support.

[m0urs]

Is there OAuth implementation support without 2FA? Looks like they've removed the v2 API ahead of requiring 2FA support.

It seems they are now only using the new API which can be used with and without 2FA. I am currently trying to implement the new API without 2FA so that I can use my scripts again. However, as I said before, I am not a programmer and I cannot promise if I am successful ;-)

[m0urs]

Bad news :-(

As part of our efforts to continually evolve and further strengthen our privacy and security practices, Arlo announced it will now require all users to use two-factor authentication when logging into their Arlo account. The new security mandate will go into effect for new users in Q2 of 2020, and will require existing Arlo users to enable the feature on their current Arlo accounts by end of year. While Arlo has strongly encouraged its users to enable two-factor authentication since its introduction, Arlo believes requiring this added layer of security is yet another measure we can take to help our users safeguard their accounts and their data.

Arlo Team

[apsteinmetz]

Well this really sucks, but I predicted it. I registered my displeasure on the Arlo forum. It would have been nice to get some notice. Now I am scrambling to find an alternative hardware/software solution. Thanks, everyone, for your efforts to try and work around this.

[nst2020]

well seems there are some fixes out. Hope we can use it for this lib.

https://github.com/twrecked/pyaarlo

[jeffreydwalter]

@nst2020 they are just logging into your mailbox and polling for the 2FA email to get the token. That is the approach I am also planning on. Have been busy, was hoping someone in the community would take some initiative and make a PR. If not, I'll probably have time in the next week or two.

[m0urs]

As I said, I am currently working on changing the script to use the new API as even without 2FA it is no longer working for me for some days ... I also do have some code for 2FA in it, but currently only for playing (I need to put in the second factor manually, just to see how it works). I was planning to get the second factor via SMS as I do have another machine which can receive SMS.

Nevertheless, if you would be able to make "real" code even better ;-) Let me know before you start so maybe I can give you at least what I already have. Maybe you can re-use something ...

[m0urs]

I adapted the code so that it now uses the new Authentication API and added also some proof of concept code for using 2FA.

However, currently you need to put in the second factor sent by SMS manually. It needs more work now to automate that.

At least I can now use my script again 8without 2FA) as Arlo seems to have stopped authentication with the older API a few days ago.

You find my code here. Maybe you can use parts for your own.

https://github.com/m0urs/arlo-cl

[death2all110]

@m0urs

Thank you for this. I'm trying to implement the changes you made so I can run my download script again, and it seems to authenticate, but every time it runs it just passes 'success' and doesn't do anything else. Any chance you can help with that?

PS E:\Arlo> python .\arlo-download.py
[DEBUG] (MainThread) Starting new HTTPS connection (1): ocapi-app.arlo.com:443
[DEBUG] (MainThread) https://ocapi-app.arlo.com:443 "POST /api/auth HTTP/1.1" 200 None
'success'
PS E:\Arlo>

[m0urs]

@death2all110 I can have a look if you provide me with your full script which you are using. If you like you can mail me directly as this does not really fit to the 2FA issue here ... Mail address see my Github profile.

[huberda]

@m0urs Thanks a lot for your pre-work implementing the new api-endpoints! I was wondering why my scripts weren´t working with my home automation as i noticed that arlo now enters the passwods base64 and also new endpoints are targeted. I just implemented your changes and it works like a charm!!!

@death2all110 Please notice that @m0urs changed also requests.py and eventstream.py! If you are running your own scripts with Arlo.py, dont forget to encode the password.

from Arlo import Arlo

from datetime import timedelta, date
import datetime
import sys
import base64

pw = 'plainPW'
USERNAME = 'you@mail'
PASSWORD = str(base64.b64encode(pw.encode("utf-8")), "utf-8")

try:
    arlo = Arlo(USERNAME, PASSWORD)
    basestations = arlo.GetDevices('basestation')   
    modes = arlo.GetModes(basestations[0])
   

[jeffreydwalter]

@m0urs are you planning on making a PR for your changes? It would be greatly appreciated by everyone that uses the library.

[m0urs]

@jeffreydwalter As I did only adapt some of the functions in Arlo.py yet, I would not yet like to create a PR. I am currently working with @death2all110 who is using some more functions and will adapt my version of Arlo.py accordingly. But that will not include all functions. Do you think it make sense to merge my changes even if they are not yet complete? Maybe, because currently the whole script seems no longer work at all. What do you think?

[apsteinmetz]

Thanks for updating this! Is there a lag in the package deployment becuase I don't seem to be updating?

>pip install arlo
 Requirement already satisfied: arlo in c:\users\arthur\appdata\local\programs\python\python38\lib\site-packages (1.2.33)

[jeffreydwalter]

Try upgrading: pip install arlo --upgrade

$ pip install arlo --upgrade
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
Collecting arlo
  Downloading https://files.pythonhosted.org/packages/81/43/694016dcd05a02762bf05b19ed09bd22780b9f8d578cf82cd0e2c82e87ec/arlo-1.2.35-py2.py3-none-any.whl
Requirement already satisfied, skipping upgrade: requests in /usr/local/lib/python2.7/site-packages (from arlo) (2.22.0)
Requirement already satisfied, skipping upgrade: PySocks in /usr/local/lib/python2.7/site-packages (from arlo) (1.7.1)
Requirement already satisfied, skipping upgrade: monotonic in /usr/local/lib/python2.7/site-packages (from arlo) (1.5)
Requirement already satisfied, skipping upgrade: sseclient==0.0.22 in /usr/local/lib/python2.7/site-packages (from arlo) (0.0.22)
Requirement already satisfied, skipping upgrade: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (1.25.6)
Requirement already satisfied, skipping upgrade: certifi>=2017.4.17 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (2019.9.11)
Requirement already satisfied, skipping upgrade: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (3.0.4)
Requirement already satisfied, skipping upgrade: idna<2.9,>=2.5 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (2.8)
Requirement already satisfied, skipping upgrade: six in /usr/local/lib/python2.7/site-packages (from sseclient==0.0.22->arlo) (1.12.0)
Installing collected packages: arlo
  Found existing installation: arlo 1.2.30
    Uninstalling arlo-1.2.30:
      Successfully uninstalled arlo-1.2.30
Successfully installed arlo-1.2.35

[twratl]

Yeah. An OTP would be ideal. Then pyotp could easily be used to solve the MFA issue. Maybe that is a worthwhile petition to Arlo to offer OTP as an option. It is arguably more secure than SMS.

[giejay]

Just checking, wouldn't using a Tasker plugin and an Android phone also help with two factor authentication? By using Auto notification, I can quite easily click the approve button, every time a login takes place. Or am I overlooking something?

Edit: Modified the code a bit to use Push authentication instead of SMS, created a tasker profile to select approve automatically and it works within 5 seconds

[twratl]

I have a working implementation of MFA using SMS. After reviewing the API I see now how the email option is implemented so I am going to adapt my code to use email (which is always going to be an option for everyone I would imagine) instead of SMS. This would eliminate the need for Google Voice or equivalent.

My solution is an AWS serverless solution and is a 2 stage process (a pre-stage process which gives you a URL to query every second until the code shows up, and an out-of-band process that accepts and parses the MFA email and saves the OTP code).

[twratl]

Ok. I switched over to using email for MFA instead of SMS. The code and process to implement is here: https://github.com/twratl/arlo-mfa-aws. I welcome feedback. I have this working successfully in my application (although I turned off MFA for now since it isn't yet a requirement).

You will need a couple things like a domain and an AWS account.

[huberda]

Dear @twratl, i am currently worried about 2FA, because this will kill my current setup enabling alro-modes with my home automation. I had a look at your solution and really like this approach, big thanks for that!

I try to keep all my data (except arlo videos) @home, thats why i am thinking about a different approach:
Running arlo.py already requires a local machine (in my case raspbian box). It should be possible to clone the linked email-inbox e.g. via imapbox to the local disk as json and then directly fullfil the 2FA request for arlo.py. Do you see any issues following this approach?
I think then we can skip using a aws-account + dns and....maybe?

Best regards,
Daniel

[twratl]

@huberda, thanks for reaching out. I will say that the solution I built for AWS stores VERY little info and it is wiped within a day IIRC. My Arlo automation runs from AWS Lambda, hence my AWS solution.

However if you want to pursue a fully "on prem" solution, I don't see why the same high level process could not be adapted. You would still source the second factor via email likely and then using imap you can check for the arrival of the message in the inbox and parse out the MFA code which you then provide to the Arlo API.

You would need to roll your own logic for the IMAP piece but it seems rather straightforward (check inbox for messages in the last 1 minute from the Arlo address as an example). Not sure imapbox is needed although it could work I guess. I was thinking just a direct imap call to your inbox.

[huberda]

@twratl: Thanks for your reply! I fully agree, i just tought about a user-friendly way to implement 2FA without additional components.
I guess that many users of arlo.py are maybe not informed about 2FA impact on the API and this issue will pop-up during the planned enforcement.

Regarding IMAP i will check for a good solution (direct IMAPClient or existging module) - regarding logic i am thinking about a timeout loop that could be configured (e.g. check inbox x times for mails in last y minutes) for MFA code.

I will have a look on this within the next weeks...

[phoenixaus]

Hi Guys,

I have been able to obtain the MFA code from SMS or email and save it into a txt file. This was done using software called integromat, which you should be able to access on the free tier. I'm happy to help anyone that wants to go that way.

Unfortunately, I'm lacking in the skill set to adapt the code the Jeffrey has written to import this in. At this stage I'm trying to find a way to ideally force the email option of MFA (as this isn't relying on a sim service to be active), then read the contents of a file saved in dropbox called MFA.TXT which would contain the code. I would assume that there would need to be a pause between the request stage and accessing with the MFA code.

[booi]

Hi guys, not sure if anybody still uses this library but I opened a PR #160 for automatic request and retrieval of 2FA tokens from a gmail account and restores the ability to use this library.

After reading this thread it seems like there also needs to be a corresponding update to read from the new API but perhaps this gets us half-way? It sounds like there has been some progress on using the new API.

This technique requires users to set up an OAuth client for accessing gmail via google's api. At the very least it does not require a twilio/google voice or AWS integration and accessing google's api is free for any gmail account.

[booi]

If there is interest, I would also be open to running a service on heroku or something that can do this automagically. There is a good amount of security required in this scenario though since it requires read access to the gmail account. We could open source it

[m0urs]

In the meantime I have moved to another Python library as base for my house automation control for Arlo: https://github.com/m0urs/arlo-fhem

[ptkmora]

Hi.
I would like to log-in in Arlo library and download the videos locally. I had a script for that, but stopped working at beginning of May with the error:
"403 Client Error: Forbidden for url: https://ocapi-app.arlo.com/api/auth".
This must be related with the 2FA issue of this post, I presume.

May I ask if there is a solution to log-in with 2FA, which I can integrate in my previous .py code?
(I studied this post, but I could not find a solution easy enough for my limited knowledge of python)

download_Arlo.py.PASSWORD_CANCELED.txt

The .py is called by this simple bash script:
archive_Arlo_2.sh.txt

Many thanks in advance if anybody can help on this.

[huberda]

Dear @ll,

i am still struggeling with all arlo-libraries (also pyarlo and arlo-fhem). It seems that cloudflare broke all implementations.
I disabled 2FA in my arlo account, but after multiple logons via script i receive e.g. CloudflareChallengeErrors.
=> After reconnecting my router to ISP its working fine again for 4-5 script-runs.

I already investigated a lot of time to get a stable and working script, but without success.
Is there anyone with a stable and working setup using Arlo-automation? (e.g. for integration for home automation)

I am currently thinking about to sell my whole arlo setup, because this really su.....
=> and also netgear is not customer oriented!

Best regards!

[booi]

I took a small peek at the work required to get this integration working again and I don't think Arlo is the way forward for me personally. It would be easier (and cheaper!) to replace this setup than to try to shoehorn a new integration. @jeffreydwalter I don't know if you're still around but what did you end up doing?

[jeffreydwalter]

@huberda @booi the issue you guys are having is related to the requests library in Python 3.x. It's broken.

This library works fine if you disable Arlo 2FA and use Python 2.7.

[m0urs]

Is there anyone with a stable and working setup using Arlo-automation? (e.g. for integration for home automation)

I tested with 2FA enabled which has been working as well. However, currently I am running without 2FA and it is very stable for me using my https://github.com/m0urs/arlo-fhem.

[m0urs]

Seems that they just changed something, at least if you are using 2FA with non-english langauge: twrecked/pyaarlo#63 (comment)

[huberda]

Thanks @jeffreydwalter; using python2.7 without tfa works fine for me again. I already moved all scripts to python3 in the past, so i never tried to downgrade it again.

[jeffreydwalter]

I've got an issue open with the requests project. They have acknowledged the regression, but it's not clear if they consider it a bug.
Basically, Arlo's Cloudflare proxy is blockin flagging all requests from the python 3 requests library as a bot... I'll put together a fix for this soon.

[ptkmora]

@jeffreydwalter Thank you so much for the quick and precious feedback. Reverting to Python 2.7 is the solution for my case. The script run by Pythin 2.7 works fine again as it was used to do before beginning of May, when the problem began. Many thanks again!

…

_________________________________________________

On Mon, 24 May 2021, Jeffrey Walter wrote: Date: Mon, 24 May 2021 14:23:54 -0700 From: Jeffrey Walter ***@***.***> Reply-To: jeffreydwalter/arlo ***@***.***> To: jeffreydwalter/arlo ***@***.***> Cc: ptkmora ***@***.***>, Comment ***@***.***> Subject: Re: [jeffreydwalter/arlo] 2FA support (#146) @huberda @booi the issue you guys are having is related to the requests library in Python 3.x. It's broken. This library works fine if you disable Arlo 2FA and use Python 2.7. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.[AUGJ3WZDXFQP46E2ZAYZP3DTPK7WVA5CNFSM4LE6NC42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGKAXRZA.gif]

[neilferreira]

It looks like @jeffreydwalter has fixed the Python 3.x issue with a new version so I decided to give it a spin. I can confirm that the previous issue related to CloudFlare blocking Python ( 401 Client Error: Unauthorized for url: https://my.arlo.com/hmsweb/login/v2) has disappeared!

I've run into another issue, however.

Is anyone else able to use the API at the moment with NO MFA on their account? I'm getting this, I'll need to debug it further.

  File "/opt/application/controller.py", line 36, in disarm
    arlo.CustomMode(basestation, mode=None, schedules=['schedule.1'])
  File "/usr/local/lib/python3.8/site-packages/arlo.py", line 435, in CustomMode
    return self.request.post('https://my.arlo.com/hmsweb/users/devices/automation/active', {'activeAutomations':[{'deviceId':device.get('deviceId'),'timestamp':self.to_timestamp(datetime.now()),'activeModes':[mode],'activeSchedules':schedules}]})
  File "/usr/local/lib/python3.8/site-packages/request.py", line 66, in post
    return self._request(url, 'POST', params=params, headers=headers, raw=raw)
  File "/usr/local/lib/python3.8/site-packages/request.py", line 57, in _request
    raise HTTPError('Request ({0} {1}) failed: {2}'.format(method, url, r.json()), response=r)
requests.exceptions.HTTPError: Request (POST https://my.arlo.com/hmsweb/users/devices/automation/active) failed: {'data': {'error': 'AUTO-5050', 'message': 'Failed to update Automation Definitions', 'reason': 'Unable to upload active automation. Please try again'}, 'success': False}

EDIT: May be a dupe of #168

[sfederman]

Hi all,

I'm having a similar issue with 2FA, the error 401 Client Error: Unauthorized for url: https://my.arlo.com/hmsweb/users/devices.

Before 2FA was activated on my account, I could use this code without any issues, but now that 2FA is on (and I cannot deactivate it on my account), it no longer functions (to get regular snapshots, for an eventual time-lapse).

I can provide more details if necessary, but it seems some are able to use this repository with 2FA - what is the best method?

[jeffreydwalter]

For anyone looking to use mfa, this branch is working https://github.com/jeffreydwalter/arlo/tree/mfa-pr

It uses the Google Gmail API, so you'll have to set that up (see the docs folder): https://github.com/jeffreydwalter/arlo/blob/mfa-pr/docs/ARLO_MFA.md

[huberda]

@jeffreydwalter: Thanks for your update, i just implemented your new branch and its working fine!

For the mail-inbox did not matched your query-string, because alro-mails are sent in german language - therefore i adjusted:

line238: q=f'Arlo one-time authentication code after:{request_start_time}'
=> not matched in DE

I also opened a tickets @Netgear and asked for 2FA deactivation - but i dont think they will go for it.

Best regards

[Aeon]

@jeffreydwalter thank you for your hard work on this! One note on documentation - the documentation says to use http://localhost:7788 as redirect URL, with no trailing slash, but the gmail_oauth.py specifies it with a trailing slash, which causes google API to return an redirect_uri_mismatch error.

---

And, unrelated, a silly thing that bit me that I wanted to document in case anyone is googling for it - if you see errors like

'ascii' codec can't decode byte 0xe5 in position 1: ordinal not in range(128)

that most likely means that you may have ran the gmail_oauth.py script with python2, but are trying to run your script with python3... and the pickle formats are very different between python versions, so that will cause things to blow up with very little in a way of error context 💣

(not quite sure if there's some way to gracefully handle that with a better error message in LoginMFA function?)

To fix that, all you need to do is delete gmail.credentials, re-run the gmail_oauth.py with python3, and you should be off to the races!

[booi]

@jeffreydwalter @Aeon Thanks for the feedback, I made the doc changes in #178.

[kskenyon]

Wiki is still missing the slash after http://localhost:7788