Life360 fails authentification again

[smarthomefamilyverrips]

The problem

after working since fix in 2023.12.4 now again I have problems with authentification of life 360

Logger: homeassistant.components.life360 Source: helpers/update_coordinator.py:353 Integration: Life360 (documentation, issues) First occurred: 5:20:34 PM (1 occurrences) Last logged: 5:20:34 PM

Authentication failed while fetching life360 (xxxxxxxxxxxxxxx@gmail.com) data: ClientResponseError: 403, message='Forbidden', url=URL('https://api-cloudfront.life360.com/v4/circles')

What version of Home Assistant Core has the issue?

2023.12.4

What was the last working version of Home Assistant Core?

2023.12.4

What type of installation are you running?

Home Assistant OS

Integration causing the issue

Life360

Link to integration documentation on our website

https://www.home-assistant.io/integrations/life360

Diagnostics information

N/A

Example YAML snippet

N/A

Anything in the logs that might be useful for us?

Logger: homeassistant.components.life360
Source: helpers/update_coordinator.py:353
Integration: Life360 (documentation, issues)
First occurred: 5:20:34 PM (1 occurrences)
Last logged: 5:20:34 PM

Authentication failed while fetching life360 (smarthome.family.verrips@gmail.com) data: ClientResponseError: 403, message='Forbidden', url=URL('https://api-cloudfront.life360.com/v4/circles')

Additional information

N/A

[home-assistant[bot]]

Hey there @pnbruckner, mind taking a look at this issue as it has been labeled with an integration (life360) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of `life360` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign life360` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

life360 documentation life360 source _{^{(message by IssueLinks)}}

[Mark612]

Same. Looks like the engineers may have changed something again in their unsupported API.

[Bhorn25]

Same here not working again.

[andyz68]

Same for me right now.

[aaronburt]

Confirmed, same issue at OP.

Error requesting *** data: ClientResponseError: 403, message='Forbidden', url=URL('https://api-cloudfront.life360.com/v4/circles')

[cityfanminimos]

I had the same issue yesterday, removed the plugin, reset my life 360 password, and applied the fix from the other issue report. All started working again, but like everyone above it has happened again today. (I fixed this back in late Dec also when the issue first arose)

I wonder if the API needs reauthentication every so often now, and the old auth token then ends up locking the account

[sebastian-bugajny]

Same problem for me appeared today. HA version: 2023.12.4

[CAVACO-PT]

same here

HA version: 2023.12.4

[milkog]

Same here, HA 2023.12.4

[wokkeltje13]

Same here, HA 2023.12.4

[lor74]

Unfortunately… same here :( Core:
2024.1.0b7

[bigboban]

I received this email, maybe it is the reason? I think "suspicious activity" is HA?

Dear Valued Member,

At Life360, the security of our products and services has always been among our top priorities. We are continuously monitoring and implementing features designed to enhance the security of our products and security for our members.

Recently, we identified suspicious activity in which an unauthorized person used credentials (email address and password) obtained from outside sources to attempt to access your account. Based on our investigation to date, we have no evidence of unauthorized access to Life360 user location information, payment card information, or physical addresses. To safeguard against further suspicious activity, we took the precaution of resetting your password.

Life360 has introduced a new way to further safeguard your account by using one-time-passcodes delivered to your verified phone number when logging into your account, instead of passwords. Enrolling in passwordless login is the best way to prevent password misuse and protect your personal information, so please take a few minutes to enroll now.

Take action to further safeguard your account now:

In the Life360 App, visit Settings → Account → Phone Number and verify the phone number associated with your account. Afterwards, you’ll log in by receiving a code delivered directly to your phone instead of using a password.

In addition to enabling passwordless login on Life360, we encourage you to change the password on any online service for which you have used the same or similar credentials at Life360 or elsewhere.

Security is an important part of our commitment to keep families safe online and in the real world. Thank you for taking the time to read this message and taking steps to protect your account.

Best regards, Chris Hulls, CEO

[kisdominik]

Same here, HA 2023.12.4

[wokkeltje13]

received the same mail a couple of days ago.

[dmtalon]

I too believe like @bigboban said, that email is the likely indication of the latest problem. Until I got that email I could still log into life360 web with just email / password. Since that email it requires confirming the 2fa code from my phone number.

HA was working though until this morning. It appeared to be working when I left the house, but then stopped sometime around 10am eastern.

[stevebus]

I hate adding "+1" comments to github issues, but "+1".

Stopped working for me just this morning. Life360 app did have me validate my phone number a couple of days ago, and I got the email mentioned above one day last week, so it's probably related...

edited: forgot to add, running 2023.12.4, which until this morning had fixed the previous auth issue from last month

[pnbruckner]

I can confirm something did indeed change today that broke the integration again. Some investigation seems to imply it is more subtle than previous changes. It is getting too difficult to keep up. I'm personally giving up. It is very likely the integration will be removed.

[pantherale0]

I'm not sure there is a fix for this... for the more technical minded - Life360 proxies its backend API for the mobile app via cloudflare. The source of all the 403 errors comes from cloudflare blocking the request (which will most likely be configured by Life360 themselves as some form of firewall / page rule - https://developers.cloudflare.com/rules/).

Watching the web requests the mobile app makes and then replicating them like for like (headers, urls, body, cookies etc.) outside of the app results in the above 403 error produced by cloudflare.

Pretty much all of the old v3 endpoints and newer v4/v5/v6 endpoints return the same problem. Further testing using 2FA also has produced the exact same result, although interestingly I can use other clients to send and issue an access token with SMS based OTP, just not directly with a username/password.

EDIT: v5 and v6 related endpoints are working, although to retrieve a list of circles (and consequently their IDs), you need to use the v4 endpoint as "circles" doesn't exist as an endpoint outside of that)

[Mark612]

Thank you pnbruckner for all the work. Hopefully we can figure it out or the company releases an API.

[samsonusmc]

I know not exactly the same thing, but I changed all my automations to use "Person" and have BOTH L360 and Home Assistant devices (with the Home Assistant App) to provide location information. It has helped weather the storms for the L360 integration blocks.

[bigboban]

@danielbrunt57 you wrote "HERE are the top five alternatives to Life360 on iPhone and Android"

Where?

[renewoensdregt]

Click the first link in his post.

---

From: bigboban @.> Sent: Wednesday, January 3, 2024 7:44:46 PM To: home-assistant/core @.> Cc: renewoensdregt @.>; Manual @.> Subject: Re: [home-assistant/core] Life360 fails authentification again (Issue #106967)

@danielbrunt57https://github.com/danielbrunt57 you wrote "HERE are the top five alternatives to Life360 on iPhone and Android"

Where?

— Reply to this email directly, view it on GitHubhttps://github.com/home-assistant/core/issues/106967#issuecomment-1875808594, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AM63QKRPCXVAWN7SKJ2N4EDYMWRJ5AVCNFSM6AAAAABBLS65W2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZVHAYDQNJZGQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

[supermarkert]

@danielbrunt57 you wrote "HERE are the top five alternatives to Life360 on iPhone and Android"

Where?

I humbly request we not keep discussing alternatives/opinions? This Github issue and discussion thread is specifically for trying to find solutions to the current integration problem in Home Assistant. If you want to discuss your opinions of Life360 in general, you can open a discussion on the Home Assistant community forums, or literally anywhere else. Every time someone posts here (including "Same for me") then it pings that message to everyone that's subscribed looking for a solution to the problem. Thanks. (rant over)

[Tommaso2020]

Same for me. HA Core 2023.12.4

[dmtalon]

Life360 is just plain bad. Check this out: #Life360 – a popular location-sharing app used by over 33M users is in news for all the wrong reasons. The company was caught selling user location data to dozens of data brokers in the industry. Life360 CEO’s sugar-coated comment further strengthens the authenticity of the report. If you are looking to get out of Life360’s privacy nightmare, here are the top five alternatives to Life360 on iPhone and Android.

I mean, that's great and all, I think most people using HA are aware of privacy concerns related to Life360, and honestly don't believe this comment belongs here.

That said, you can opt out of them selling your information (assuming they honor your request) right from their app.

[celoberger]

Same here

[danielbrunt57]

comments have been deleted...

[balloob]

We are aware that Life360 is broken. As reported above, using Cloudflare is not something that is worth fighting over with them. We've tried reaching out to them and have not heard back yet. We have one final lead we're trying but I wouldn't hold my breath.

Its' time to look for alternatives (like the Home Assistant app itself) but our issue tracker is not the right place for that. Please use the community forums, Discord or Reddit. Thanks.

[holstweb]

Problem is also persistent in HA 2024.1.0. I even created a special account with it's own phone/email/password, but unfortunately that doesn't work either.

[MiGoller]

Hey, I can confirm the same issue for the Life360 integration in ioBroker: Same problem since today: https://github.com/MiGoller/ioBroker.life360/issues/88

[MadJalapeno]

Just want to say thank you @pnbruckner for all your hard work on this. Very much appreciate it, and it's a shame they don't want to offer an API we can use, even for a small payment.

[brpeterso]

@pnbruckner , Take a look at the life360+ app for Hubitat. This guy has been able to keep up with the changes so it doesn't go down, even when the regular hubitat life360 and HA life360 goes down. It may help...

https://community.hubitat.com/t/release-life360/118544

https://github.com/jpage4500/hubitat-drivers

[pantherale0]

life360+ app for Hubitat.

https://github.com/jpage4500/hubitat-drivers

The http requests used here are based on the previous fix, and also some newer changes to the user agent that I've already made (https://github.com/jpage4500/hubitat-drivers/pull/29 / https://github.com/jpage4500/hubitat-drivers/commit/9d082567b2b6ad7e282d70c11d80884bb9925b0a / https://github.com/pnbruckner/life360/pull/12 / https://github.com/pnbruckner/life360/pull/10)

I've got a suspicion that Life360 have enabled Cloudflare's "enhanced bot protection" (I think thats what its called in the rules, but more info on their "bot" protection here https://www.cloudflare.com/en-gb/application-services/products/bot-management/).

To keep it as simple as possible, these fingerprints that Cloudflare goes on about are actually the fingerprints of the underlying https connection itself as far as I'm aware, which if that's the case, these fingerprints can vary from client to client and can't easily be spoofed as this happens after the TCP connection is established, but before the HTTP request is sent (https://developer.okta.com/books/api-security/tls/how/#tls-how).

That might even be why the hubitat integration is still working, because the fingerprint of that TLS session could be different to the one used in aiohttp

as @balloob has said, this is simply not worth fighting over at this point, we'd probably have to build a whole new http requests library from scratch, based from okhttp3 to spoof the fingerprint of those TLS sessions.

EDIT: uploading the full list of API endpoints that are within the latest version of the mobile app for other devs to explore (2.50.0)

MembersEngineNetworkApi.txt

[gamajunior]

Same for me HA 2024.1.0

[lor74]

We are aware that Life360 is broken. As reported above, using Cloudflare is not something that is worth fighting over with them. We've tried reaching out to them and have not heard back yet. We have one final lead we're trying but I wouldn't hold my breath.

Its' time to look for alternatives (like the Home Assistant app itself) but our issue tracker is not the right place for that. Please use the community forums, Discord or Reddit. Thanks.

I have started replying to this post in the Home Assistant forum

[almoney]

I still run Hubitat to support my old zigbee devices so I exported my Life360 devices to HA and created device trackers for the gps locations.

[dvbit]

I can confirm something did indeed change today that broke the integration again. Some investigation seems to imply it is more subtle than previous changes. It is getting too difficult to keep up. I'm personally giving up. It is very likely the integration will be removed.

Hi some time ago you published and alpha alternative refactoring of the life360 integration. Is that failing too? If not do you mind republishing it? Thank You.

BTW: fully understand giving up on running after API changes

[pnbruckner]

Hi some time ago you published and alpha alternative refactoring of the life360 integration. Is that failing too?

Yes, it uses the same PyPI package to communicate with Life360, so it suffers from the same issues.

[bigboban]

I did nothing but IT WORKS now!!

[smarthomefamilyverrips]

Here not! it still not passes authentication

[robertvanlienden]

@bigboban Nice to see! Maybe you can figure out how you did this, and you can share this? Personally would really like to have this integration work fine, but I can understand that the maintainer right now don't have the time/energy to keep up with the issues from last year...

Maybe with your changes, a new fix can be released :smiley: . If I have some time next days, maybe I will also dig into this :-)

-- Edit -- Sorry, thanks @danielbrunt57... Seems that it was too late to comment for me :see_no_evil: .

Still; For some reason your life360 integration seems to work again? Really sure you did absolutely nothing? :thinking: Sounds wierd that your integration just randomly started working again

[danielbrunt57]

Maybe you can figure out how you did this

@robertvanlienden He told you how he did it...

I did nothing

[JeedHome44]

hello,

last time I modified the code so that everything worked again.

can you tell me what to change now?

I see someone has managed to resolve the problem.

[JeedHome44]

I did nothing but IT WORKS now!!

Can you copy your file360 folder and share it please ?

[bigboban]

I repeat again - i did NOTHING, i have clear HA installation without custom modifications (in life360). I think it works randomly, because my second HA server still failing with same Life 360 credentials. On first HA it started to work in random time, without any changes in that time made by me.

[skgsergio]

It is sad, but I'll "vote" to remove life360. I used it a lot (but nowadays I also have the HA app on our phones), and I'll probably cancel the suscription after this.

[JeedHome44]

I just test OwnTracks with Home Assistant and it works perfectly !

[MRobi1]

I just test OwnTracks with Home Assistant and it works perfectly !

Give it time. I've tested OwnTracks 3 or 4 times over the past few years, hoping to replace Life360 and keep data in house. Every time after a week or so, it just stops updating location. Regardless of battery optimization settings and disabling them all, this has happened every single time on multiple versions of Android. Re-opening the app will get it updating again.

[bigboban]

A little note from me. As Life 360 was alive again this morning it is dead again this evening. Unreliable, unusable.

[JeedHome44]

I just test OwnTracks with Home Assistant and it works perfectly !

Give it time. I've tested OwnTracks 3 or 4 times over the past few years, hoping to replace Life360 and keep data in house. Every time after a week or so, it just stops updating location. Regardless of battery optimization settings and disabling them all, this has happened every single time on multiple versions of Android. Re-opening the app will get it updating again.

I test it with my iPhone ! 😉