ADT / Alarm.com now requires 2FA

[mikesalz]

I noticed my alarmdotcomajax installation stopped working last night. Errors below.

Probably not coincidentally, when I logged in to the alarm.com website I was forced to enable 2FA. Does alarmdotcomajax
support 2FA?

Log Details (ERROR)
Logger: pyalarmdotcomajax.pyalarmdotcomajax
Source: /usr/local/lib/python3.8/site-packages/pyalarmdotcomajax/pyalarmdotcomajax.py:135
First occurred: 6:53:48 AM (1 occurrences)
Last logged: 6:53:48 AM

Unable to extract system id from Alarm.com

Log Details (ERROR)
Logger: homeassistant.components.alarm_control_panel
Source: custom_components/alarmdotcomajax/alarm_control_panel.py:124
Integration: Alarm control panel (documentation, issues)
First occurred: 6:53:48 AM (1 occurrences)
Last logged: 6:53:48 AM

Error while setting up alarmdotcomajax platform for alarm_control_panel
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/helpers/entity_platform.py", line 197, in _async_setup_platform
    await asyncio.shield(task)
  File "/config/custom_components/alarmdotcomajax/alarm_control_panel.py", line 78, in async_setup_platform
    await alarmdotcom.async_login()
  File "/config/custom_components/alarmdotcomajax/alarm_control_panel.py", line 124, in async_login
    await self._alarm.async_login()
  File "/usr/local/lib/python3.8/site-packages/pyalarmdotcomajax/pyalarmdotcomajax.py", line 130, in async_login
    self._systemid = json["data"][0]["id"]
KeyError: 'data'

[aechelon]

@mikesalz, the plugin doesn't support 2-factor authentication. The workaround is to create a new sub-account that doesn't require 2-factor using the alarm.com website. The procedure is similar to that in the Multiple Alarm.com Installations section of the documentation.
There are other benefits of creating a dedicated sub-account for HomeAssistant -- primarily, you will be able to discern which events are triggered by HA in the history log on the alarm.com website.

@uvjustin, this comes up often enough that we probably need to add this information to the docs.

[jjohns63]

@aechelon That's a good suggestion, but having just gone through setting up a secondary login, that account faces the same issue. Logging in brings up a page forcing setting up 2FA, it does not bring you to the primary screen.

[mikesalz]

@aechelon Thanks for your quick response! I had the same experience as @jjohns63 when I logged in through the web UI. ADT/Alarm.com (not sure which is doing this) allows you to disable 2FA, but then forces you to turn it back on in order to do anything.

[aechelon]

Interesting. That behavior must be vendor-specific. I don't see the same with Brinks/Alarm.com.

[mikesalz]

Yeah, it kinda blows. Any ideas how to get around this? Or am I screwed now?

[aechelon]

Surely there must be a way to disable 2-factor authentication... Not ideal from a security point-of-view, but at least it would get the plugin working again.

[mikesalz]

I don't know. Technically, I do not have 2FA turned on. Yet. But immediately after logging in I get this:

And then I click Skip to get past it, but still this:

So they either have a bug, or they are forcing their users to enable TFA. :(

[aechelon]

Is this on ADT's website or alarm.com?
For Brinks when I input my credentials on the alarm.com site it forwards me to a brinks-themed version of alarm.com.

[mikesalz]

Same here. I input my credentials on alarm.com and then get forwarded to ADT. [https://control.adt.com/system-install/login-setup/two-factor-authentication/overview]

[mikesalz]

@aechelon I don't know what's going on here. This is weird. Most of the time the website acts how I described. But sometimes it lets me right in. When I restart HA, I'm still getting the error messages I originally posted. Do these look symptomatic of having 2FA enabled? Or could it be a different issue?

[mikesalz]

I have new info! I called ADT support. They said that there have been some changes (Not clear if these changes were on ADT's side or alarm.com's side). When logging in through alarm.com, they said they will always require 2FA moving forward. However, if you log in directly through ADT's site (https://control.adt.com) you can skip/disable 2FA.

Given this, is there any way I (or you) can change the URL that the integration uses to log in?

[aechelon]

I'll defer to @uvjustin, but I believe that the pyalarmdotcomajax library used by the plugin connects to a web API URL, which is not the same as the URL you would use to connect to alarm.com in a browser.

That URL looks something like this: https://www.alarm.com/web/api/systems/availableSystemItems.

This would indicate the change for 2-factor is on the alarm.com side of things, however if that were the case then everyone who uses alarm.com should be seeing the issue as well...

[jxbrown]

I'm having the same problem. Using ADT/Protection One with Alarm.com. I been using a separate account for year with no problem until last night. Getting the same errors as mikesalz.

Logger: custom_components.alarmdotcomajax.pyalarmdotcomajax
Source: custom_components/alarmdotcomajax/pyalarmdotcomajax.py:139
Integration: alarmdotcomajax
First occurred: 5:18:38 PM (1 occurrences)
Last logged: 5:18:38 PM

Unable to extract system id from Alarm.com

---

Logger: homeassistant.components.alarm_control_panel
Source: custom_components/alarmdotcomajax/pyalarmdotcomajax.py:134
Integration: Alarm control panel (documentation, issues)
First occurred: 5:18:38 PM (1 occurrences)
Last logged: 5:18:38 PM

Error while setting up alarmdotcomajax platform for alarm_control_panel
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/helpers/entity_platform.py", line 197, in _async_setup_platform
    await asyncio.shield(task)
  File "/config/custom_components/alarmdotcomajax/alarm_control_panel.py", line 48, in async_setup_platform
    await alarmdotcom.async_login()
  File "/config/custom_components/alarmdotcomajax/alarm_control_panel.py", line 70, in async_login
    await self._alarm.async_login()
  File "/config/custom_components/alarmdotcomajax/pyalarmdotcomajax.py", line 134, in async_login
    self._systemid = json["data"][0]["id"]
KeyError: 'data'

Any help resolving this issue would be much appreciated,

[uvjustin]

Hmm, that's interesting. We can try to help a little but it will be hard for us without this ADT issue to be able to make many changes or help troubleshoot. When you log in through https://control.adt.com , what url does it end up redirecting to?
If the web interface is the same and it's as simple as changing up the URLs, we can expose an option to do that in the component. But I'm worried that this is fragile and also that there may be more changes coming down the road for ADT users (and maybe for all ADC users)...

[jxbrown]

The https://control.adt.com/ site redirects to Alarm.com and brings up a page to setup 2FA. For me, it doesn't have a skip button to continue the login. When I go directly to Alarm.com, It shows the same page, but has a skip button.

redirect form: https://control.adt.com/

Logging directly into the Alarm.com site should the skip button mikesalz mentioned in his post.

Thanks

[uvjustin]

Unfortunately just having that click through page is already different than what I have access to on my end, so I won't be able to make a workaround without access to a subaccount.
Perhaps someone with the problem can try to make a workaround?
Otherwise, if you are willing to give me access to a secondary login to try to make a workaround, I can post a PGP key here and you can use it to post me the details for that login.

[mikesalz]

Hi @uvjustin - I can create a secondary login for a limited amount of time. I want to be very cautious with this, for obvious reasons. Would a Read Only account be sufficient for your testing purposes? For how long do you think you would need the login?

[uvjustin]

I think a Read Only account would probably work. I probably won't need it for more than a day or two.
Here's a PGP key to encrypt the user/pass with if you want to post it here:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBF+t5QUBDADI9XEvcTGN1lx1K41uA/F1Myac5ah3TDJQTZkA2FVPNwj5d8+B
29iAzziFG9YvTNZ7Ur2gt11O9A2WyLHF5B3/y5+YLrfXcJRU5SVsPSZL/ChG1SvS
GgZ8d3ZwMmgB5lPpLvKgarhWvbqLA+GJQj3BV2VqxvHIjSIm4hLhDVF8lf61ena5
xzo1jPkUuWd5z0MDzkZV/oqSdFtT9O9THPiCogbVLnooMHMhdbzwgWLg4iToJfUa
GgHKwVj5Sast6/O03nWZPH3D9AQBwibuMlz3/HYts6LwhuG6+woE7ku2uWTfEtQ7
38AkidLLHPjNm70FZUSQQboAN2Ny1qEx1tkWjGPS6z0Y5aju8aSuJQaqjkowdnjH
ey13YCJVNdGDq9mBrWEjcGF7uLqIMk5QoQqQNF2HGV3ee4s4wRhsonPdMy+10Js0
hR5s1oHwzxleYBR8YHnGxfWB4OCA1S9RF30ACbdmL7J1+WuW1Arl51AS0RT8GPP7
4Fhy17Zm2LsJwk8AEQEAAbQqNDYwODI2NDUrdXZqdXN0aW5AdXNlcnMubm9yZXBs
eS5naXRodWIuY29tiQHUBBMBCAA+FiEET96rAo4cr1L9RJKpRpuXBvJFvB8FAl+t
5QUCGwMFCQPChrsFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQRpuXBvJFvB8P
1gv7Bxr07tb4mJpMfnaKXhGiEzq4EqHxsQwwsCAxXi0LpyFe9PZ2NgF2Eq2ZsWU9
3eecdjJJE/60Jic8youYGeTNTPPOj8u+lbzyGO1WU5wdvPv1dA4Wweq1Vo57E0eR
YLQJwtDT1+SlCWQm2zYVn8ikBjHMHHmHAepqseh7I5Prp5236AYA/JaA55Xz3EAb
s93R0mCxQHEbfGbWlKia3rj40ZVdL3b7xbiAKB9uNl6V1IwyZrgELZ8Dm7yNJpUF
o7DkvBEzueLi5DJHK/BqJPYj/RkepiwsVB/nHU5lEd9rOuFcj0VNr0EVfDt8rDD3
Aklt+Ch4lAVJrunXtpX94Xo5UEOBC6PJUZUKRPnVfpKj7nLB7TWBp9Z5lIopPyzs
j8j2fX31Ff6PDZf8H35PDuM8Mfq2U1xAHwQzqaBrRkVI3We89qzmZWk2WRdpvtkH
Rb9ojjYUDYiBj7yAoUrTlK9If6TpUvYjHCj1i/LRsMKXy52n6cye3yPqTBHR8tcd
gu2EuQGNBF+t5QUBDACuBAXwIWMixotQKoBQfY5zbP+083H2SH9DEfReVxzhaQ4n
RyiSkQtSOa5sXeeyFKOTTn9+pZFoMIvtT0VEeoBEeDXw8wj1HsxD634dtVWKw+9B
rHa/zwDcTdhdfRDcaVzd2/Q1PCixSQEQ7Nh93BQyZQsFT/Kp2j5bgT+7Rg5OcIy3
H5RZFUHw4upnEW6JDxcPgKWNvAxcshHVPJnDvFFM7znQu0NlPoohZNQB7PayHBDQ
cKfCWh40yPIbENlT7mp8hwpQ3BwDgRO3KyIufUkDnmzIkQkwYZoQW2JlYHrWvYM+
hhmC6UnSSsJQJ0zsKIOkDY4yeiFd7IiJErbB8GTsDX3LZ/AbVQVXMVdP8QmsvLfJ
2YO7xU4cAlQze0ZDjxmkXNM5Ma8aRZpZHty++Nm3cBqKFrPcF3B/haRAv4ECmmK3
usVlWh38jnT02lpqZ6qUSFB5w8MvTLkzNWsI7nXRL3w/8JldYH1E4+I7nUqJvziw
AbHLqbhtpIj2E8UfEUEAEQEAAYkBvAQYAQgAJhYhBE/eqwKOHK9S/USSqUablwby
RbwfBQJfreUFAhsMBQkDwoa7AAoJEEablwbyRbwfPqAMAIgKc1g7NqhIsym1WOEa
frziT8XDOU+VlWWIqVI4PeI26WMbd5cBUCKp1lZIdijwpNWySoUiqk05u6EDP808
H7EqSi6wXljQ8G4xqSJ51/Y4CZeGJ0iOLDvb4NuizTiAtRZTfJ/LUklGfWKDoCUL
XWzfu0Se98Qr82N5Gujhs4m42J3ufv4psw6drwKqD9tDfH7GDPOBwiFmzED3lswe
8yUIq4JC1gNFGv7xlJTrf7WJgu5T7eNOsM5wyzXGiT4iNkik5kHecr2lYAcw9Hb2
pzjHJBLsJ1bQ6qoYAUzZDP7UkZ/i0lOqBdKlku7TaCwNa8CFu9uJkHLYPyB22Ylu
0RsBq+T9Jb5WpowpWgN/ryBs1tZKomSvIZKh6yU93VJdSUjDf3kTyvzpjEFCrNAT
9/DB3QASkwHEbZA2NzU0SPd3p8dms1M8z0RyUSfIJw0r8WYRFgwus0zOUmVsgXD2
gaXgHbOoxYMXbUsV0Q0SnvO1Pt5YpLj++acK0P+e+uJJ2A==
=Za8x
-----END PGP PUBLIC KEY BLOCK-----

[mikesalz]

Are you also @uvjustin on the Home Assistant forum? If so, I can just send it to you in a PM there. Even encrypted, I feel weird about posting it here.

[uvjustin]

OK, send it there.

[mikesalz]

Sent. Please let me know if you got it. Thanks!

[jxbrown]

@uvjustin and @mikesalz - Thanks for looking into this. Will you be posting updates here or on the Home Assistant forum?

[uvjustin]

Just pushed the changes to the library and the component. See if it works for you.

[jjohns63]

The updated library is working for me, after adding ADT: true to my configuration

[uvjustin]

@mikesalz was able to get it working too. I hope this fix holds and there aren't more changes on deck. Unfortunately if the ADT portal diverges more from the standard ADC one, it will probably be hard for me to keep up with the changes, so we will need someone either to help update/maintain the ADT code here or perhaps to fork the component/library to an ADT specific one.

[jxbrown]

@uvjustin - Thanks for you help with this, I did not change update the code and the site just working again? My pyalarmdotcomajax.py file is dated 3/18/20. Would you still recommend I update the code to the latest?

[uvjustin]

If it's working for you then there's no need to update. Maybe they removed the 2FA check so the workaround is no longer necessary.

[jxbrown]

Ok. Thanks again for your help.

…

On Sun, Nov 15, 2020 at 10:57 AM uvjustin ***@***.***> wrote: If it's working for you then there's no need to update. Maybe they removed the 2FA check so the workaround is no longer necessary. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#21 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMDB32XUSOCI67BJZPEIR4TSQAQBDANCNFSM4TR77JMQ> .

[mikesalz]

@jxbrown Not sure how it is working for you? Just now I took out out adt: true and it failed with the same error as before. Maybe your setup is different, but mine definitely needs adt: true in order to function.

[jxbrown]

@mikesalz - I'm a Protection One customer so we may have a different ways of connecting to Alarm.com

[mikesalz]

@uvjustin Would you believe they took out the Skip screen!? I happened to restart HA today, and when it came up the Alarm.com integration didn't load. I opened alarm.com in a browser and logged in, and it took me straight into my account, without the Skip screen. So I commented out adt: true in the config, and then the integration worked again. I wouldn't pull your code just yet - who knows what they are going to do in another week! But i just wanted to give you the heads up that adt: true is (temporarily?) not working due to this recent change.

[uvjustin]

OK, well I'm glad it worked for a week or so. As long as the regular non ADT way still works I won't change anything.

[mikesalz]

@uvjustin And now the Skip screen is back, and it is forcing 2FA! ADT sucks. I switched my config to adt:true and it started working again. I know you've put a lot of time into this thing, but I'm just curious... How hard would it be to build in an automatic try so that if adt: false does not work, it fails over to adt: true?

[uvjustin]

Not hard, but I would do it the other way around, first trying the ADT way if adt is true and then trying the normal way if it doesn't work. Doesn't make sense for us non-ADT users to try to use the ADT way if there is some error.
It's weird that they are going back and forth with this stuff.

[mikesalz]

That makes sense. Is that something I can/should do on my end, or are you thinking you'd make the change to the integration?

[uvjustin]

If they change it back again, PM me another temp login. That way I can make and test a change to the ADT code that will fail over to a non 2FA login.

[mikesalz]

You got it. Thank you, kind sir!

[jxbrown]

@mikesalz - Are you having issues again? I rebooted last night and now I'm getting this error.

**Logger: custom_components.alarmdotcomajax.pyalarmdotcomajax
Source: custom_components/alarmdotcomajax/pyalarmdotcomajax.py:139
Integration: alarmdotcomajax
First occurred: 7:37:22 AM (1 occurrences)
Last logged: 7:37:22 AM

Unable to extract system id from Alarm.com**

@uvjustin - I'm seeing this error as well.

**Logger: homeassistant.components.alarm_control_panel
Source: custom_components/alarmdotcomajax/pyalarmdotcomajax.py:134
Integration: Alarm control panel (documentation, issues)
First occurred: 7:37:22 AM (1 occurrences)
Last logged: 7:37:22 AM

Error while setting up alarmdotcomajax platform for alarm_control_panel
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/helpers/entity_platform.py", line 197, in _async_setup_platform
await asyncio.shield(task)
File "/config/custom_components/alarmdotcomajax/alarm_control_panel.py", line 48, in async_setup_platform
await alarmdotcom.async_login()
File "/config/custom_components/alarmdotcomajax/alarm_control_panel.py", line 70, in async_login
await self._alarm.async_login()
File "/config/custom_components/alarmdotcomajax/pyalarmdotcomajax.py", line 134, in async_login
self._systemid = json["data"][0]["id"]
KeyError: 'data'**

Should I upgrade the code to use the ADT flag? Here's my directory structure if this helps.

Thanks

[mikesalz]

@jxbrown I have had to toggle back and forth between have that flag set to true and false, depending on what ADT feels like doing that day. Mine is currently set to true and is working.

[jxbrown]

@mikesalz Thanks. That helps.
Can you share what your configuration.yaml looks like? I think I'm using old code from 2 years ago.

@mikesalz @uvjustin
Here's my configuration.yaml

Alarm.com

alarm_control_panel:

• platform: alarmdotcomajax
  username: !secret adt_username
  password: !secret adt_password
• platform: aarlo
  home_mode_name: home
  away_mode_name: armed
  trigger_time: 30
  alarm_volume: 8

[mikesalz]

@jxbrown Here is mine. You are missing is adt: true - Assuming you have an ADT alarm.
Also, it looks like you don't have the newest version (which might mean that you don't even have the adt parameter available). They renamed the integration from alarmdotcomajax to alarmdotcom. Are you using HACS to keep it updated?

alarm_control_panel:
  - platform: alarmdotcom
    name: Alarm
    adt: true
    username: xxxxxxxxxx@xxxxxxx.xxx
    password: ************

[jxbrown]

@mikesalz This was pretty old install - I did not use HACS. Can you send me a link to the install guide? Do I need to do an uninstall before using HACS?

Thanks

[mikesalz]

@jxbrown There's not much to do to uninstall it. Just delete/remove the alarmdotcomajax folder from your custom_componets directory. You might want to temporarily comment out your config until you have the new version installed.

Then install HACS (Home Assistant Community Store) via the UI using Configuration > Add Integration. It should give you any instructions you need for installation.

Once HACS is installed, you'll see a new HACS button on your left menu in HA. Go there to install individual integrations, such as alarmdotcom.

After you get that installed, uncomment your config and remember to change alarmdotcomajax to alarmdotcom.

HACS has all sorts of great integrations that are not natively available in HA. There is also a bunch of garbage in there. =) But you might come across some other integrations that are useful to you. And updates are maintained in HACS.

[jxbrown]

@mikesalz Thanks! I'll give it a shot and report back.

[jxbrown]

@mikesalz - I could not find the HACS Integration so I installed via the readme on this page. Here's what I noticed.

When trying to login via https://control.adt.com the system redirects me to https://www.alarm.com/system-install/login-setup/two-factor-authentication/overview and forces me to setup 2FA. No skip option is available.

Here's the error I get:
ERROR (MainThread) [pyalarmdotcomajax.pyalarmdotcomajax] Unable to extract data from adt.com
ERROR (MainThread) [homeassistant.components.alarm_control_panel] Error while setting up alarmdotcom platform for alarm_control_panel

I use protection one alarm system and login into Alarm.com directly. It brings up the 2FA screen but I'm able to skip and continue on. Wondering if you login into Alarm.com https://www.alarm.com/ if that works for you?

@uvjustin - Is there a way you can create an 2nd option for those who use Protection One or login directly to Alarm.com (https://www.alarm.com/)?

Thanks.

[jxbrown]

@mikesalz - Can you reopen this issue for tracking or should I open a new issue?

[mikesalz]

@jxbrown I don't understand - Do you have an ADT system or a Protection One system? I think @uvjustin made changes to the integration specifically for ADT.

I would just create a new issue. This one is closed, so @uvjustin may not even be following the thread anymore.

And in the meantime, work on getting HACS installed. That will make your life much easier! https://hacs.xyz/docs/installation/manual

[jxbrown]

@mikesalz - I have a protection one system. I think you're right that @uvjustin is may not be tracking this thread anymore.

I have HACS installed but I cannot find the alarmdotcom integration. Is it under another name?

[mikesalz]

@jxbrown Just to make sure, you are clicking the bottom right "Explore & Add Repositories" button, right?

I just checked out HACS. It looks like the search omits any custom components you already have installed. So if you still have your old version installed, it might recognize that and screen it out of the search. Just a guess. The name is Alarmdotcom.

[jxbrown]

Thanks @mikesalz for the info, I think I have the latest installed by using the instructions on this page.

I created a separate issue #28 in hopes to get this resolved.

[mikesalz]

@jxbrown Glad you got it installed. I know your issue isn't resolved just yet, but at least you have an easy way to keep up with updates now.

[mikesalz]

@jxbrown (and anyone who might be encountering this issue) Just an FYI - I started encountering new issues with my ADT login (again!!!). @uvjustin jumped right on it because he is awesome, and came up with a new solution. The adt: and protection1: parameters are going to be deprecated, and will be replaced with a cookie that is set when logging in through the alarmdotcom portal. See readme:
https://github.com/uvjustin/alarmdotcom#two-factor-authentication

# Example configuration.yaml entry
alarm_control_panel:
  - platform: alarmdotcom
    username: YOUR_USERNAME
    password: YOUR_PASSWORD
    code: "01234"
    force_bypass: "true"
    no_entry_delay: "home"
    silent_arming: "false"
    two_factor_cookie: "0000111122223333444455556666777788889999AAAABBBBCCCCDDDDEEEEFFFF0000"

[jxbrown]

@mikesalz Thanks for the heads-up. I noticed with 0.1.7 that the account I use for Alarm.com repletely tries to login. I rebooted and the account tried to login 47 times in one minute.

I'll try 1.8 to see if that helps.

[jxbrown]

@mikesalz Back up and running with the 2FA code thanks again for the heads-up. @uvjustin Thanks again for fixing this.