2FA support

[alexeyvasilyev]

Got Arlo's that said "Two-step verification is an added layer of account security to verify that it's really you, even if someone knows your password. By the end of the year, Arlo will require all users to enable two-step verification. We strongly encourage you to enable this feature now for added security"

At the moment 2FA is not working for these Arlo python scripts.

What version of Python are you using (python -V)?

Python 3.7.6

What operating system and processor architecture are you using (python -c 'import platform; print(platform.uname());')?

uname_result(system='Darwin', node='PC', release='19.3.0', version='Darwin Kernel Version 19.3.0: Thu Jan  9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64', machine='x86_64', processor='i386')

Which Python packages do you have installed (run the pip freeze or pip3 freeze command and paste output)?

arlo==1.2.33
certifi==2019.9.11
chardet==3.0.4
idna==2.8
monotonic==1.5
PySocks==1.7.1
requests==2.23.0
six==1.12.0
sseclient==0.0.22
urllib3==1.25.6
virtualenv==16.7.8

Which version of ffmpeg are you using (ffmpeg -version)?

ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
built with Apple clang version 11.0.0 (clang-1100.0.33.16)
configuration: --extra-cflags=-fno-stack-check
libavutil      56. 31.100 / 56. 31.100
libavcodec     58. 54.100 / 58. 54.100
libavformat    58. 29.100 / 58. 29.100
libavdevice    58.  8.100 / 58.  8.100
libavfilter     7. 57.100 /  7. 57.100
libswscale      5.  5.100 /  5.  5.100
libswresample   3.  5.100 /  3.  5.100

Which Arlo hardware do you have (camera types - [Arlo, Pro, Q, etc.], basestation model, etc.)?

Arlo Camera, Arlo Base Station

What did you do?

Enabled 2FA support on Arlo app (Settings - Profile - Login Settings - Two-Step Verification - Enable=true).

What did you expect to see?

python arlo-streamingvideo.py
ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
  built with Apple clang version 11.0.0 (clang-1100.0.33.16)
  configuration: --extra-cflags=-fno-stack-check
  libavutil      56. 31.100 / 56. 31.100
  libavcodec     58. 54.100 / 58. 54.100
  libavformat    58. 29.100 / 58. 29.100
  libavdevice    58.  8.100 / 58.  8.100
  libavfilter     7. 57.100 /  7. 57.100
  libswscale      5.  5.100 /  5.  5.100
  libswresample   3.  5.100 /  3.  5.100
Input #0, rtsp, from 'rtsps://vzwow42-z1-prod.ar.arlo.com:443/vzmodulelive/5EM28975A2C12_1583845297713?egressToken=d0ca19d6_ade1_4852_aaf3_5235fe5c9266&userAgent=iOS&cameraId=5EM28975A2C12_1583845297713':
  Metadata:
    title           : 5EM28975A2C12_1583845297713
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Audio: aac (LC), 16000 Hz, mono, fltp
    Stream #0:1: Video: h264 (High), yuv420p(progressive), 1264x704, 24 fps, 100 tbr, 90k tbn, 48 tbc

What did you see instead?

$python arlo-streamingvideo.py
401 Client Error: Unauthorized for url: https://my.arlo.com/hmsweb/login/v2

Does this issue reproduce with the latest release?

Yes

[jeffreydwalter]

I don't really think there's going to be a solution to this.

[jeffreydwalter]

I just enrolled in 2FA and the only possible solution I see is to configured 2FA to use email, then write some code that gets the 2FA code from your email and sends it to the Arlo API. Of course, this library does not support that currently.

[m0urs]

This is really a very bad decision by Arlo as it will break all kind of external automation together with the Arlo cams. We really should send them many mails and comment in the forums so that they at least will either make it not mandatory or provide a kind of application passwords as it is done with other providers.

[jeffreydwalter]

Yep, unfortunately, that's our only recourse.

[m0urs]

So, let's tell them ... https://community.arlo.com/t5/Arlo/Mandatory-Two-Step-Authentication-Verification-a-Bad-Idea/m-p/1760890#M4454

[m0urs]

Jeffrey, I tried to play with the 2FA and Python as I do have the possibility to receive SMS with my Raspberry where my Home Automation system is running and thought, maybe I would be able to read that SMS and use it for login via Python.

The 401 error which is currently thrown is because the Login call tells us:

{'error': '1900', 'message': 'To access your account, please download our new Arlo app or disable two-step verification.', 'reason': 'Please update to the latest version of this app, or deactivate Two-Step Authentication on your account, to login on this device.'}

So for me it seems that the API calls have changed to a somehow newer version which supports both 2FA and non-2FA.

How did you get all the the information about which GET/POST requests are used by Arlo? The calls made by the web browser seems to be totally different from the requests made by the Python script.

So I am bit lost now. Maybe you can help me a bit so that I can continue playing. Thanks!

[jeffreydwalter]

@m0urs I use the Network tab in Chrome's developer tools.

They have new auth endpoints, which this library isn't updated to use yet: General:

Request URL: https://ocapi-app.arlo.com/api/auth
Request Method: POST
Status Code: 200 
Remote Address: 104.18.30.98:443
Referrer Policy: no-referrer-when-downgrade

Request Headers:

:authority: ocapi-app.arlo.com
:method: POST
:path: /api/auth
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
auth-version: 2
content-length: 125
content-type: application/json; charset=UTF-8
cookie: __cfduid=XXXXXXX; __cfruid=XXXXXXX-XXX; 
dnt: 1
origin: https://my.arlo.com
referer: https://my.arlo.com/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
source: arloCamWeb
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

Request Body:

{email: "jeffreydwalter@gmail.com", password: "XXXXXXXXXXXX",…}
email: "jeffreydwalter@gmail.com"
password: "XXXXXXXXXXXX"
language: "en"
EnvSource: "prod"

Response Headers:

access-control-allow-credentials: true
access-control-allow-origin: https://my.arlo.com
cf-cache-status: DYNAMIC
cf-ray: 572f685e38e37ada-MCI
content-encoding: gzip
content-type: application/json; charset=utf-8
date: Thu, 12 Mar 2020 17:59:12 GMT
etag: W/"25a-ic0uE7Ob0UwLOmICOdCpZMQlp4Y"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
status: 200
strict-transport-security: max-age=15552000; includeSubDomains
vary: Origin, Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

Response Body:

{"meta":{"code":200},"data":{"_type":"AccessTokenV2","token":"XXXXXXX-XXXXXXX-XXXXXX-XXXXXXX-XXXXXX-XXXXXXX","userId":"XXX-XXXXXXX","authenticated":1584035951,"issued":1584035951,"expiresIn":1585331951,"mfa":false,"authCompleted":true,"type":"USER","MFA_State":"ENABLED"},"domain":"ocapi-app.arlo.com"}

[m0urs]

Thanks, so I was on the right way ... Guess I need to some try and error now ;-)

[m0urs]

After that there is a "GET https://ocapi-app.arlo.com/api/validateAccessToken?data = XXXXX' where "XXXXX' is the value from the field 'authenticated' from the request above.

This requests fails :

Request (GET https://ocapi-app.arlo.com/api/validateAccessToken?data%20=%20XXXXX) failed: {'meta': {'message': 'Access token is invalid', 'code': 400, 'error': 9022}}

I guess because I am missing the correct value for the "Authorization" header variable. It seems that this is NOT the value from 'token' (starting with "2_") which we get from the first request but something which looks totally different and starting with "Ml9":

Authorization: Ml9vaG13NnJ6SDZBOTBTbW9V......lFdzllZWdS

I have currently no idea where this value comes from or how to calculate it from other fields. Maybe it is some kind of hash of the token.

Maybe someone from the community can do also some tests here and give me a hint from where this "Authorization" header is coming.

The password for the new API is also somehow hashed (but this would not be such a big problem).

[death2all110]

@jeffreydwalter Are there any plans to update the library with the new endpoints? This hasn't worked for me for a while, and I'm honestly not sure where to begin with doing it myself and doing a pull request.

[m0urs]

I am currently playing around with it a bit. However, I cannot promise that this will lead to a positive result ;-) - and I cannot tell you about a time frame.

[m0urs]

Maybe Arlo will not set 2FA mandatory as they had communicated up to now. If I understand that support chat correctly we still would be able to choose:

https://community.arlo.com/t5/Arlo/Mandatory-Two-Step-Authentication-Verification-a-Bad-Idea/m-p/1762753#M74989

However: Since 2 days I am unable to use the old authentication mechanism even without 2FA enabled with my accounts :-( I tried to re-write the code so that it is using the new API but I am not yet successful. Seems that we now also need to consider the cookies in all requests. Still trying to get it working, however it is try & error as I am not really a Python programmer ;-)

[katzenbaer]

Is there OAuth implementation support without 2FA? Looks like they've removed the v2 API ahead of requiring 2FA support.

[m0urs]

Is there OAuth implementation support without 2FA? Looks like they've removed the v2 API ahead of requiring 2FA support.

It seems they are now only using the new API which can be used with and without 2FA. I am currently trying to implement the new API without 2FA so that I can use my scripts again. However, as I said before, I am not a programmer and I cannot promise if I am successful ;-)

[m0urs]

Bad news :-(

As part of our efforts to continually evolve and further strengthen our privacy and security practices, Arlo announced it will now require all users to use two-factor authentication when logging into their Arlo account. The new security mandate will go into effect for new users in Q2 of 2020, and will require existing Arlo users to enable the feature on their current Arlo accounts by end of year. While Arlo has strongly encouraged its users to enable two-factor authentication since its introduction, Arlo believes requiring this added layer of security is yet another measure we can take to help our users safeguard their accounts and their data.

Arlo Team

[apsteinmetz]

Well this really sucks, but I predicted it. I registered my displeasure on the Arlo forum. It would have been nice to get some notice. Now I am scrambling to find an alternative hardware/software solution. Thanks, everyone, for your efforts to try and work around this.

[nst2020]

well seems there are some fixes out. Hope we can use it for this lib.

https://github.com/twrecked/pyaarlo

[jeffreydwalter]

@nst2020 they are just logging into your mailbox and polling for the 2FA email to get the token. That is the approach I am also planning on. Have been busy, was hoping someone in the community would take some initiative and make a PR. If not, I'll probably have time in the next week or two.

[m0urs]

As I said, I am currently working on changing the script to use the new API as even without 2FA it is no longer working for me for some days ... I also do have some code for 2FA in it, but currently only for playing (I need to put in the second factor manually, just to see how it works). I was planning to get the second factor via SMS as I do have another machine which can receive SMS.

Nevertheless, if you would be able to make "real" code even better ;-) Let me know before you start so maybe I can give you at least what I already have. Maybe you can re-use something ...

[m0urs]

I adapted the code so that it now uses the new Authentication API and added also some proof of concept code for using 2FA.

However, currently you need to put in the second factor sent by SMS manually. It needs more work now to automate that.

At least I can now use my script again 8without 2FA) as Arlo seems to have stopped authentication with the older API a few days ago.

You find my code here. Maybe you can use parts for your own.

https://github.com/m0urs/arlo-cl

[death2all110]

@m0urs

Thank you for this. I'm trying to implement the changes you made so I can run my download script again, and it seems to authenticate, but every time it runs it just passes 'success' and doesn't do anything else. Any chance you can help with that?

PS E:\Arlo> python .\arlo-download.py
[DEBUG] (MainThread) Starting new HTTPS connection (1): ocapi-app.arlo.com:443
[DEBUG] (MainThread) https://ocapi-app.arlo.com:443 "POST /api/auth HTTP/1.1" 200 None
'success'
PS E:\Arlo>

[m0urs]

@death2all110 I can have a look if you provide me with your full script which you are using. If you like you can mail me directly as this does not really fit to the 2FA issue here ... Mail address see my Github profile.

[huberda]

@m0urs Thanks a lot for your pre-work implementing the new api-endpoints! I was wondering why my scripts weren´t working with my home automation as i noticed that arlo now enters the passwods base64 and also new endpoints are targeted. I just implemented your changes and it works like a charm!!!

@death2all110 Please notice that @m0urs changed also requests.py and eventstream.py! If you are running your own scripts with Arlo.py, dont forget to encode the password.

from Arlo import Arlo

from datetime import timedelta, date
import datetime
import sys
import base64

pw = 'plainPW'
USERNAME = 'you@mail'
PASSWORD = str(base64.b64encode(pw.encode("utf-8")), "utf-8")

try:
    arlo = Arlo(USERNAME, PASSWORD)
    basestations = arlo.GetDevices('basestation')   
    modes = arlo.GetModes(basestations[0])

[jeffreydwalter]

@m0urs are you planning on making a PR for your changes? It would be greatly appreciated by everyone that uses the library.

[m0urs]

@jeffreydwalter As I did only adapt some of the functions in Arlo.py yet, I would not yet like to create a PR. I am currently working with @death2all110 who is using some more functions and will adapt my version of Arlo.py accordingly. But that will not include all functions. Do you think it make sense to merge my changes even if they are not yet complete? Maybe, because currently the whole script seems no longer work at all. What do you think?

[apsteinmetz]

Thanks for updating this! Is there a lag in the package deployment becuase I don't seem to be updating?

>pip install arlo
 Requirement already satisfied: arlo in c:\users\arthur\appdata\local\programs\python\python38\lib\site-packages (1.2.33)

[jeffreydwalter]

Try upgrading: pip install arlo --upgrade

$ pip install arlo --upgrade
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
Collecting arlo
  Downloading https://files.pythonhosted.org/packages/81/43/694016dcd05a02762bf05b19ed09bd22780b9f8d578cf82cd0e2c82e87ec/arlo-1.2.35-py2.py3-none-any.whl
Requirement already satisfied, skipping upgrade: requests in /usr/local/lib/python2.7/site-packages (from arlo) (2.22.0)
Requirement already satisfied, skipping upgrade: PySocks in /usr/local/lib/python2.7/site-packages (from arlo) (1.7.1)
Requirement already satisfied, skipping upgrade: monotonic in /usr/local/lib/python2.7/site-packages (from arlo) (1.5)
Requirement already satisfied, skipping upgrade: sseclient==0.0.22 in /usr/local/lib/python2.7/site-packages (from arlo) (0.0.22)
Requirement already satisfied, skipping upgrade: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (1.25.6)
Requirement already satisfied, skipping upgrade: certifi>=2017.4.17 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (2019.9.11)
Requirement already satisfied, skipping upgrade: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (3.0.4)
Requirement already satisfied, skipping upgrade: idna<2.9,>=2.5 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (2.8)
Requirement already satisfied, skipping upgrade: six in /usr/local/lib/python2.7/site-packages (from sseclient==0.0.22->arlo) (1.12.0)
Installing collected packages: arlo
  Found existing installation: arlo 1.2.30
    Uninstalling arlo-1.2.30:
      Successfully uninstalled arlo-1.2.30
Successfully installed arlo-1.2.35

[nst2020]

thx Jeff for updating this! works like a charm!!!. not sure but seems also to be faster now.

cheers. one beer for u

[apsteinmetz]

Woo hoo! back in business. Thanks so much!

[twratl]

In regards to MFA, I think there is a solution possible without a script requiring access to your mailbox. From what I can tell only push notifications and SMS messages are options (could be wrong). I did a quick test with SMS going to a Google Voice number and got the message. I have Google Voice set up to forward to my email (I think the only option for email address is the one associated with your Google Voice account).

I could envision a simple little AWS Lambda/SES/Dynamo/S3/API Gateway system that could help with parsing out the MFA code. Perhaps it could even be a "service" that others could use. The process would be Arlo MFA -> SMS Google Voice -> your email inbox -> autoforward rule set up to forward Arlo MFA messages to an email address behind AWS SES -> Lambda parses out the MFA code and stores in S3 -> Arlo python script queries S3 for the code. I would need to work out the details but this seems quite possible.

While folks could roll their own implementation of this, I think it may make more sense as a service being offered. I could build a prototype and host it - i can't imagine this would cost more than $1-$2 a month at most. Of course it would be best effort and no guarantee of up time.

The Arlo python script would (still thinking through the details) make a call to this service and pass in the email address the email will be forwarded from (likely SHA256 of the email so the service doesnt have to store plaintext emails) and a UUID. The return would be a presigned S3 URL (good for 1-2 minutes). The S3 object key would be in the form of - so the object is unique to the caller. And the object would be deleted after a short period of time as well.

Then the script performs authentication to Arlo as normal and the MFA process is kicked off, resulting in an email being sent to this service (via the Google Voice process noted above). Then the service performs SHA256 on the sender email address, finds the associated UUID, parses out the MFA, and saves the code to the S3 object.

As that is happening the python script polls every 1-2 seconds checking if the code has made it into the S3 object. Once the code is available it makes the Arlo API call with the code to advance the authentication.

Still thinking through all the details of course.

If there is interest in the community, I can try to prototype this out.

[katzenbaer]

Unless a TOTP option is added, I think support will need to be added to MITM the token like what @twratl suggested. For those that already pay for a Twilio line, setting up a daemon or polling for the text message could be an alternative option to using GVoice SMS -> Email forwarding.

[twratl]

Yeah. An OTP would be ideal. Then pyotp could easily be used to solve the MFA issue. Maybe that is a worthwhile petition to Arlo to offer OTP as an option. It is arguably more secure than SMS.

[giejay]

Just checking, wouldn't using a Tasker plugin and an Android phone also help with two factor authentication? By using Auto notification, I can quite easily click the approve button, every time a login takes place. Or am I overlooking something?

Edit: Modified the code a bit to use Push authentication instead of SMS, created a tasker profile to select approve automatically and it works within 5 seconds

[twratl]

I have a working implementation of MFA using SMS. After reviewing the API I see now how the email option is implemented so I am going to adapt my code to use email (which is always going to be an option for everyone I would imagine) instead of SMS. This would eliminate the need for Google Voice or equivalent.

My solution is an AWS serverless solution and is a 2 stage process (a pre-stage process which gives you a URL to query every second until the code shows up, and an out-of-band process that accepts and parses the MFA email and saves the OTP code).

[twratl]

Ok. I switched over to using email for MFA instead of SMS. The code and process to implement is here: https://github.com/twratl/arlo-mfa-aws. I welcome feedback. I have this working successfully in my application (although I turned off MFA for now since it isn't yet a requirement).

You will need a couple things like a domain and an AWS account.

[huberda]

Dear @twratl, i am currently worried about 2FA, because this will kill my current setup enabling alro-modes with my home automation. I had a look at your solution and really like this approach, big thanks for that!

I try to keep all my data (except arlo videos) @home, thats why i am thinking about a different approach: Running arlo.py already requires a local machine (in my case raspbian box). It should be possible to clone the linked email-inbox e.g. via imapbox to the local disk as json and then directly fullfil the 2FA request for arlo.py. Do you see any issues following this approach? I think then we can skip using a aws-account + dns and....maybe?

Best regards, Daniel

[twratl]

@huberda, thanks for reaching out. I will say that the solution I built for AWS stores VERY little info and it is wiped within a day IIRC. My Arlo automation runs from AWS Lambda, hence my AWS solution.

However if you want to pursue a fully "on prem" solution, I don't see why the same high level process could not be adapted. You would still source the second factor via email likely and then using imap you can check for the arrival of the message in the inbox and parse out the MFA code which you then provide to the Arlo API.

You would need to roll your own logic for the IMAP piece but it seems rather straightforward (check inbox for messages in the last 1 minute from the Arlo address as an example). Not sure imapbox is needed although it could work I guess. I was thinking just a direct imap call to your inbox.

[huberda]

@twratl: Thanks for your reply! I fully agree, i just tought about a user-friendly way to implement 2FA without additional components. I guess that many users of arlo.py are maybe not informed about 2FA impact on the API and this issue will pop-up during the planned enforcement.

Regarding IMAP i will check for a good solution (direct IMAPClient or existging module) - regarding logic i am thinking about a timeout loop that could be configured (e.g. check inbox x times for mails in last y minutes) for MFA code.

I will have a look on this within the next weeks...

[phoenixaus]

Hi Guys,

I have been able to obtain the MFA code from SMS or email and save it into a txt file. This was done using software called integromat, which you should be able to access on the free tier. I'm happy to help anyone that wants to go that way.

Unfortunately, I'm lacking in the skill set to adapt the code the Jeffrey has written to import this in. At this stage I'm trying to find a way to ideally force the email option of MFA (as this isn't relying on a sim service to be active), then read the contents of a file saved in dropbox called MFA.TXT which would contain the code. I would assume that there would need to be a pause between the request stage and accessing with the MFA code.

[booi]

Hi guys, not sure if anybody still uses this library but I opened a PR #160 for automatic request and retrieval of 2FA tokens from a gmail account and restores the ability to use this library.

After reading this thread it seems like there also needs to be a corresponding update to read from the new API but perhaps this gets us half-way? It sounds like there has been some progress on using the new API.

This technique requires users to set up an OAuth client for accessing gmail via google's api. At the very least it does not require a twilio/google voice or AWS integration and accessing google's api is free for any gmail account.

[booi]

If there is interest, I would also be open to running a service on heroku or something that can do this automagically. There is a good amount of security required in this scenario though since it requires read access to the gmail account. We could open source it

[m0urs]

In the meantime I have moved to another Python library as base for my house automation control for Arlo: https://github.com/m0urs/arlo-fhem

[ptkmora]

Hi. I would like to log-in in Arlo library and download the videos locally. I had a script for that, but stopped working at beginning of May with the error: "403 Client Error: Forbidden for url: https://ocapi-app.arlo.com/api/auth". This must be related with the 2FA issue of this post, I presume.

May I ask if there is a solution to log-in with 2FA, which I can integrate in my previous .py code? (I studied this post, but I could not find a solution easy enough for my limited knowledge of python)

download_Arlo.py.PASSWORD_CANCELED.txt

The .py is called by this simple bash script: archive_Arlo_2.sh.txt

Many thanks in advance if anybody can help on this.

[huberda]

Dear @ll,

i am still struggeling with all arlo-libraries (also pyarlo and arlo-fhem). It seems that cloudflare broke all implementations. I disabled 2FA in my arlo account, but after multiple logons via script i receive e.g. CloudflareChallengeErrors. => After reconnecting my router to ISP its working fine again for 4-5 script-runs.

I already investigated a lot of time to get a stable and working script, but without success. Is there anyone with a stable and working setup using Arlo-automation? (e.g. for integration for home automation)

I am currently thinking about to sell my whole arlo setup, because this really su..... => and also netgear is not customer oriented!

Best regards!

[booi]

I took a small peek at the work required to get this integration working again and I don't think Arlo is the way forward for me personally. It would be easier (and cheaper!) to replace this setup than to try to shoehorn a new integration. @jeffreydwalter I don't know if you're still around but what did you end up doing?

[jeffreydwalter]

@huberda @booi the issue you guys are having is related to the requests library in Python 3.x. It's broken.

This library works fine if you disable Arlo 2FA and use Python 2.7.

[m0urs]

Is there anyone with a stable and working setup using Arlo-automation? (e.g. for integration for home automation)

I tested with 2FA enabled which has been working as well. However, currently I am running without 2FA and it is very stable for me using my https://github.com/m0urs/arlo-fhem.

[m0urs]

Seems that they just changed something, at least if you are using 2FA with non-english langauge: https://github.com/twrecked/pyaarlo/issues/63#issuecomment-847873225

[huberda]

Thanks @jeffreydwalter; using python2.7 without tfa works fine for me again. I already moved all scripts to python3 in the past, so i never tried to downgrade it again.

[jeffreydwalter]

I've got an issue open with the requests project. They have acknowledged the regression, but it's not clear if they consider it a bug. Basically, Arlo's Cloudflare proxy is blockin flagging all requests from the python 3 requests library as a bot... I'll put together a fix for this soon.