Cannot Login to ADT Pulse with Multi-Factor Authentication Enabled

[kmnedd]

Hi Jacky,

ADT is in the process of requiring Multi-factor Authentication to log into the portal. My account was converted. My plugin no longer can access my account with just my login credentials. Is there a way to address this within the plugin?

The MFA process sends a code (email or sms) at the first log-in attempt once it has been enabled. You have to enter the code along with a preference for always allowing the device to be recognized. I did this via the browser on the device. No luck in helping the plugin connect.

Thanks, Kevin

[mrjackyliang]

Hi Kevin, can you tell me which version are you using?

[mrjackyliang]

And if you are able to, please send some screenshots over because I did not find any multi-factor authentication setting in the portal.

[kmnedd]

MFA is initiated via the smartphone app. Once you set it up there, it will carry over to the portal.

Kevin

Sent via iPhone

On Aug 25, 2021, at 5:47 PM, Jacky Liang @.***> wrote:

 And if you are able to, please send some screenshots over because I did not find any multi-factor authentication setting in the portal.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[kmnedd]

I am using the latest version of the plug-in.

Kevin

Sent via iPhone

On Aug 25, 2021, at 5:42 PM, Jacky Liang @.***> wrote:

Hi Kevin, can you tell me which version are you using?

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/mrjackyliang/homebridge-adt-pulse/issues/51#issuecomment-905896314

[mrjackyliang]

Oh darn. Multi-factor authentication would be pretty hard to do.

[mrjackyliang]

Are you able to create a new user in the web portal? And then login with that instead?

[kmnedd]

Jacky,

I was able to create a new user in the web portal. The new user ID and password is working in the plugin. I won’t upgrade this ID to MFA. Thanks for your advice.

Kevin

From: Jacky Liang @.> Date: Wednesday, August 25, 2021 at 7:20 PM To: mrjackyliang/homebridge-adt-pulse @.> Cc: kmnedd @.>, Author @.> Subject: Re: [mrjackyliang/homebridge-adt-pulse] ADT Pulse Multi-Factor Authentication (#51)

Are you able to create a new user in the web portal? And then login with that instead?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/mrjackyliang/homebridge-adt-pulse/issues/51#issuecomment-905939695, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AVF2MILSKLLP5HRI5J4EWI3T6V3DZANCNFSM5CZ223DQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email.

[mrjackyliang]

Phew. I thought it was going to be the end of ADT Pulse

[gdavids57]

Kevin - can you explain how you managed to create a new user without enabling MFA. As soon as I created a new user in the ADT Pulse Portal, the process went to a screen in which I had to select a MFA method (email, sms or voice) to receive the confirmation code.

[kmnedd]

1. On the summary page click on your user name in the upper right hand corner. (Next to the “Welcome”.

2. On the next page, click “users” in the system sub menu.

3. Add a user by putting in an email address that will send an invite to the address.

4 Check your email and follow the link to establish an user account. This should not ask you for MFA once it is created.

5. I now use this user ID for the plug-in.

Kevin

Sent via iPhone

On Aug 28, 2021, at 3:55 PM, gdavids57 @.***> wrote:

 Kevin - can you explain how you managed to create a new user without enabling MFA. As soon as I created a new user in the ADT Pulse Portal, the process went to a screen in which I had to select a MFA method (email, sms or voice) to receive the confirmation code.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[mrjackyliang]

Hey all,

Not sure if this works at all, but I noticed when I logged in on my non-2FA account and skipped force 2FA using the links below, it helped the plugin regain responsiveness.

https://portal.adtpulse.com/myhome/mfa/mfaSignIn.jsp?workflow=initialSetup&shouldForceMfaSetup=false

[abolians]

Has anyone had issues with their IP being blacklisted after multiple logins with the non 2FA account?

[abolians]

ADT Pulse: Logging in... ADT Pulse: Response path -> /myhome/21.0.0-354/access/signin.jsp ADT Pulse: Response path matches -> true ADT Pulse: Web portal version -> 21.0.0-354 ADT Pulse: Response path -> /myhome/21.0.0-354/access/signin.jsp ADT Pulse: Response path matches -> false ADT Pulse: Login failed.

[mrjackyliang]

Are you using ADT Control or ADT Pulse? Because the plugin takes a break if it sees that you try to login to your account unsuccessfully multiple times

[abolians]

AD pulse. I disabled your plugin and retried web login with the 2FA=False URL and after multiple tries it worked. Re enabled plugin and it was able to login successfully. Something fishy is happening. Will try to debug more and come back with more information

On Oct 8, 2021, at 1:26 PM, Jacky Liang @.***> wrote:

Are you using ADT Control or ADT Pulse? Because the plugin takes a break if it sees that you try to login to your account unsuccessfully multiple times. This does not include 2FA

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/mrjackyliang/homebridge-adt-pulse/issues/51#issuecomment-939097350, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIV4VIS2G3XLCT6SITNQ63TUF5HYJANCNFSM5CZ223DQ. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[mrjackyliang]

Haha. It's super odd. After I did that a few times on the browser, it didn't ask me for a 2FA requirement anymore.

[Fergie2020]

Having no luck with everyone’s ideas on getting the plugin to work again. 2FA is asked on all devices not matter what. I tried adding a new username and still doesn’t work.

This sucks! By far my favorite plugin.

[mrjackyliang]

Having no luck with everyone’s ideas on getting the plugin to work again. 2FA is asked on all devices not matter what. I tried adding a new username and still doesn’t work.

This sucks! By far my favorite plugin.

Did you ever happen to try the URL multiple times? On an account that doesn't have 2FA

[mrjackyliang]

From my perspective, looks like the plugin is about to be history🥲 I did some research on migrating to Envisalink and just use AlarmGrid or something.

[Fergie2020]

Yes, tried the multiple URL option several times and also created another username/password but I think ADT fixed some of the holes we found because I am being asked the same question to enable 2FA.

[mrjackyliang]

Yes, tried the multiple URL option several times and also created another username/password but I think ADT fixed some of the holes we found because I am being asked the same question to enable 2FA.

It's going to be like that on a continued basis. My best guess is to use one account that does not have 2FA (logged in on official app and plugin), and then try it that way. You might need to refrain from opening the ADT app or website unless needed.

[abolians]

Here is what has worked for me so far Using your main account, create a "service account" and give access to the zone. Activate service account from email link and Login once ONLY after activation using the web portal with the service account to setup recovery questions. After that never login with the service account on the web portal again. setup the username and password in HB and restart. If/when 2FA gets triggered again on the service account: Disable plugin so your IP doesn't get blacklisted due to multiple auth attempts restart HB Login to web portal using the main account Go to users and remove access to the zone from the service account and save. The service account will disappear. Using the give access to existing account under create account option re enable the zone for the service account This should disable 2FA again. restart HB

Good Luck!

On Wed, Oct 20, 2021 at 5:37 AM Jacky Liang @.***> wrote:

Yes, tried the multiple URL option several times and also created another username/password but I think ADT fixed some of the holes we found because I am being asked the same question to enable 2FA.

It's going to be like that on a continued basis. My best guess is to use one account that does not have 2FA (logged in on official app and plugin), and then try it that way. You might need to refrain from opening the ADT app or website unless needed.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/mrjackyliang/homebridge-adt-pulse/issues/51#issuecomment-947623243, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIV4VIT26UWRU6XBZNVBAX3UH2ZZFANCNFSM5CZ223DQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[gdavids57]

As an alternative to the ADT portal integration, I'm investigating local integration using a keypad emulator connected to a security panel. This emulator is, in turn, integrated into Homekit via the homebridge-alarmdecoder-platform plug-in. The emulator is an Alarm Decoder pHat attached to a Raspberry Pi Zero W.

[mrjackyliang]

As an alternative to the ADT portal integration, I'm investigating local integration using a keypad emulator connected to a security panel. This emulator is, in turn, integrated into Homekit via the homebridge-alarmdecoder-platform plug-in. The emulator is an Alarm Decoder pHat attached to a Raspberry Pi Zero W.

Yeah, I am in the process of determining if I should use Alarm Decoder of Envisalink. They both seem viable

[Danimal4326]

I've been hacking up the api.js to create a cli application to allow to enter the MFA code from email and register the device. I'm hoping it would carry over and you wont need to enter the MFA code for a while. So far i've gotten it to log in correctly, but I haven't been able to get it to accept the "Register this device" form yet.

[gdavids57]

I've found the Alarm Decoder solution very effective. It takes less than a second for the security panel to respond. The documentation leaves much to be desired but using the alarm decoder raspberry os image helps the installation go smoothly.

[Danimal4326]

Ok, I think I may have a solution. stay tuned for pull request.

[mrjackyliang]

I've found the Alarm Decoder solution very effective. It takes less than a second for the security panel to respond. The documentation leaves much to be desired but using the alarm decoder raspberry os image helps the installation go smoothly.

my long term goal was to get rid of ADT. it's only cause I'm tied into this 3 year contract. So sad

[mrjackyliang]

Ok, I think I may have a solution. stay tuned for pull request.

Sure thing!

[mrjackyliang]

Also, with CLI based, were you able to make it work with HOOBS? Or is it more like the plugin forces a 2FA code, and then you put the 2FA code into the configuration

[Danimal4326]

Actually my original idea was to use the CLI to register the plugin with the website.
I ended up scrapping this idea and used a solution from pyadtpulse

• You use your normal browser to log in with MFA and select the "register browser" option.
• After you log in, then log out.

• Log back in on your browser with dev-tools open. Look for the POST sent with your username/passoword. There should be a fingerprint field in there. Use that in the homebridge configuration.

  Thats it. Not sure how long the fingerprint is viable for, but its pretty trivial to re-generate.

[Danimal4326]

63 submitted

[Danimal4326]

So far everything is running well. No disconnections. Has anyone else tried my fork or the pull request I submitted?

[kmnedd]

Can you state in laymen’s terms how you got this to work?

Kevin

Sent via iPhone

On Oct 30, 2021, at 6:21 PM, Danimal4326 @.***> wrote:

 So far everything is running well. No disconnections. Has anyone else tried my fork or the pull request I submitted?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[Fergie2020]

Please do!

Sent from my iPhone

On Oct 30, 2021, at 9:12 PM, kmnedd @.***> wrote:

 Can you state in laymen’s terms how you got this to work?

Kevin

Sent via iPhone

On Oct 30, 2021, at 6:21 PM, Danimal4326 @.***> wrote:

 So far everything is running well. No disconnections. Has anyone else tried my fork or the pull request I submitted?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[kmnedd]

I have located the fingerprint.

@Jacky - are you going to modify the plug-in to include the fingerprint as an input parameter?

Kevin

Sent via iPhone

On Oct 30, 2021, at 6:21 PM, Danimal4326 @.***> wrote:

 So far everything is running well. No disconnections. Has anyone else tried my fork or the pull request I submitted?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[mrjackyliang]

I will review the code soon!

[kmnedd]

Any update? We can’t use the app right now.

Kevin

Sent via iPhone

On Oct 31, 2021, at 12:23 AM, Jacky Liang @.***> wrote:

 I will review the code soon!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[delperdj]

Actually my original idea was to use the CLI to register the plugin with the website. I ended up scrapping this idea and used a solution from pyadtpulse

* You use your normal browser to log in with MFA and select the "register browser" option.

* After you log in, then log out.

* Log back in on your browser with dev-tools open. Look for the POST sent with your username/passoword.  There should be a `fingerprint` field in there.  Use that in the homebridge configuration.

Thats it. Not sure how long the fingerprint is viable for, but its pretty trivial to re-generate.

Thanks for this ^ btw!!!! Within 10 minutes of seeing this, I got mine up and running perfectly. Thank you!!!!

[kmnedd]

I have the fingerprint. How do you obtain a version of the app that will allow you to use it in the configuration?

Kevin

Sent via iPhone

On Nov 2, 2021, at 9:55 AM, delperdj @.***> wrote:

 Actually my original idea was to use the CLI to register the plugin with the website. I ended up scrapping this idea and used a solution from pyadtpulse

• You use your normal browser to log in with MFA and select the "register browser" option.

• After you log in, then log out.

• Log back in on your browser with dev-tools open. Look for the POST sent with your username/passoword. There should be a fingerprint field in there. Use that in the homebridge configuration. Thats it. Not sure how long the fingerprint is viable for, but its pretty trivial to re-generate.

Thanks for this ^ btw!!!! Within 10 minutes of seeing this, I got mine up and running perfectly. Thank you!!!!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[delperdj]

I used the Terminal provided and used VI to edit the 3 files needed to be able to plug in the fingerprint in the configuration.

api.js config.schema.json index.js ^you can find these were changed and what was changed in the pull request above @kmnedd

[kmnedd]

Above my skill level. I’ll wait for Jacky to modify the published app.

Kevin

Sent via iPhone

On Nov 2, 2021, at 10:58 AM, delperdj @.***> wrote:

 I used the Terminal provided and used the VI to edit the 3 files needed to be able to plug in the fingerprint in the configuration.

api.js config.schema.json index.js ^you can find these were changed and what was changed in the pull request above @kmnedd

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[Danimal4326]

you can also pull my fork on your homebridge install:

if you have a local (non-docker) homebridge, you can do sudo npm -g install https://github.com/Danimal4326/homebridge-adt-pulse.git

You'll need to update to official version later.

For docker installs, you need to go to your homebridge docker storage folder (where config.json is stored) There you'll see a node_modules folder, which contains all your plugins. In the homebridge folder , run npm install https://github.com/Danimal4326/homebridge-adt-pulse.git

[kmnedd]

Thank you! Had it up and running in two minutes!

Kevin

Sent via iPhone

On Nov 2, 2021, at 1:36 PM, Danimal4326 @.***> wrote:

 you can also pull my fork on your homebridge install:

if you have a local (non-docker) homebridge, you can do sudo npm -g install https://github.com/Danimal4326/homebridge-adt-pulse.git

You'll need to update to official version later.

For docker installs, you need to go to your homebridge docker storage folder (where config.json is stored) There you'll see a node_modules folder, which contains all your plugins. In the homebridge folder , run npm install https://github.com/Danimal4326/homebridge-adt-pulse.git

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[mrjackyliang]

Wow took some time to debug the fingerprint and I got it working! The trick is to replace the %3D with =

[mrjackyliang]

v2.1.0 is now released. Instructions on how to obtain the fingerprint are inside the README.md file.

[jim-at-miramontes]

Has anyone had issues with their IP being blacklisted after multiple logins with the non 2FA account?

Yes -- I'm getting back a 429 Too Many Requests error from the backend. If I change my IP address with a VPN, I can get through. ADT tech support is extremely clueless about this, but I have a phone call scheduled on Nov 10 with a higher-level tech. I'll report back if/when I learn anything.

[kmnedd]

ADT has patched up the holes making non 2FA accounts a non starter. You are better off using a 2FA account with the new release that allow you to input a fingerprint.

From: Jim Miller @.> Date: Monday, November 8, 2021 at 1:55 PM To: mrjackyliang/homebridge-adt-pulse @.> Cc: kmnedd @.>, Mention @.> Subject: Re: [mrjackyliang/homebridge-adt-pulse] Cannot Login to ADT Pulse with Multi-Factor Authentication Enabled (#51)

Has anyone had issues with their IP being blacklisted after multiple logins with the non 2FA account?

Yes -- I'm getting back a 429 Too Many Requests error from the backend. If I change my IP address with a VPN, I can get through. ADT tech support is extremely clueless about this, but I have a phone call scheduled on Nov 10 with a higher-level tech. I'll report back if/when I learn anything.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/mrjackyliang/homebridge-adt-pulse/issues/51#issuecomment-963474040, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AVF2MIN5RBQ4CPP4FJOGTADULAMKPANCNFSM5CZ223DQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[ibogost]

Has anyone had issues with their IP being blacklisted after multiple logins with the non 2FA account?

Yes -- I'm getting back a 429 Too Many Requests error from the backend. If I change my IP address with a VPN, I can get through. ADT tech support is extremely clueless about this, but I have a phone call scheduled on Nov 10 with a higher-level tech. I'll report back if/when I learn anything.

Update the plugin; it should address this.

You'd probably be better off figuring out how to lease a new IP from your internet provider than dealing with ADT tech support, however. Sometimes unplugging your modem for a night or a day will do it, or else, downlink it to a different machine and reboot both.

ADT has patched up the holes making non 2FA accounts a non starter. You are better off using a 2FA account with the new release that allow you to input a fingerprint.

Right, but, users might still want to login to the Portal normally to manage it, without a VPN. It's possible ADT will lift its blocks after a period of time, but I'm not sure.

[jim-at-miramontes]

Has anyone had issues with their IP being blacklisted after multiple logins with the non 2FA account?

Yes -- I'm getting back a 429 Too Many Requests error from the backend. If I change my IP address with a VPN, I can get through. ADT tech support is extremely clueless about this, but I have a phone call scheduled on Nov 10 with a higher-level tech. I'll report back if/when I learn anything.

Update the plugin; it should address this. FWIW, I'm running 2.1.1. This smells like a backend issue (ADT clumsily looking for and blocking hacking attempts), but I could easily be wrong.