Integration now requiring 2FA

[mat1583]

Currently the integration is unable to log into my API user, and I am getting spammed with authentication verification codes in both email and the Vivint app. I had to disable the integration so I stopped getting spammed. This may be a bug from Vivint's end of things, but now it appears that the integration is requiring two-factor authentication when logging in. I checked my API user using their app, and two factor authentication was not enabled. I tried to fix the issue by enabling it then disabling it to see if perhaps they accidentally set a default value for all users. That did not work.

[kksligh]

Same here - been trying to log onto the Vivint main website and its been in maintenance most of the day. Hopefully this isnt permanent.

[mat1583]

@kksligh ah, I didn't see that their main site was down. I usually only login from the app, which still seems to be functional. This should probably be kept open for the time-being in case it's a new 'feature' they're deploying or some code changes in their base that require changes here.

[dspille]

Interesting. I'm not seeing any issues with hacs-vivint. The Vivint iOS app seems to be working, too, although I am seeing the main website is down. Following your issue.

[natekspencer]

The Vivint website and app has been struggling since yesterday, depending on when you happen to try to access it. If your token expires during this weird period and hacs-vivint tries to re-authenticate, you'll likely start seeing the MFA issue. Right now, I won't modify anything until Vivint's maintenance window is over, but I'll continue watching it as well.

[kksligh]

Its back out of maintenance and its broken now. The spamming stops after you actually turn on two-factor authentication in the app. Unfortunately, the integration is broken now. I'll post logs in a minute

[RyanFried]

I am experiencing this now aswell. Restarted my system and got spammed with 43 verification codes. Wouldn't stop until I disabled the integration, and I don't have 2fa installed

[natekspencer]

It's back in maintenance again, so I anticipate they haven't finalized the solution yet.

[mat1583]

I spoke with chat. They said that they're currently trying to update the security processes (obviously), and the developers are aware of the issue trying to fix it. They said to try again in a couple hours. I'm curious how many remote users they have that are having the issue. When I had the integration enabled just a minute ago for testing, I got like 8 emails and app notifications in a very short period of time.

[kksligh]

I'm shocked they've taken down their account management portal this long. They should've rolled back code a long time ago and gotten this right...makes me think they pushed something to prod that they can't roll back for whatever reason. Either way, I hope this isn't doom for this in the long run here.

[apercrcl01]

I am having the same issues. Unable to log into Vivint through HA. Hopefully Vivint resolves whatever is going on soon. Natekspencer: I want to thank you for this amazing work! I'll buy you some coffees soon!

[blakenorthrup]

Still down. I'm chatting with them now. Will post update as soon as I find out what's going on.

[blakenorthrup]

Chat from Vivint: I apologize for the inconvenience. It's an issue with the Online Account and App. The developers are aware of the issue and working to resolve it as quickly as possible. You can still call us at 1-800-216-5232 to update any credit card or checking account information as well as make a payment there. I am sure it will be all back to properly functioning later today, however I can not provide you an exact time for that. 9:47 AM O Thank you so much for your patience and understanding Oscar C

[DarellAdams]

As I write this comment, I started up my Home Assistant and was still getting spammed of verification codes for 2FAs. I had like 12 verification codes in a span of 10 minutes. Sep 3, 2021 02:00 GMT

[natekspencer]

I just released version 2021.9.0 that has crude support for MFA. It's not super well tested as I was trying to hurry and get something out, so there may be issues. You also will likely have to remove the current integration and then re-add it.

[RyanFried]

Dang! I had the integration enabled for like 10 seconds before I could remove and re-add it, got 63 emails! Testing out the new version now.

[RyanFried]

Perfect! Everything is working again. Thank you so much for being so responsive and making the Vivint system more useful!

[mat1583]

I will give it a shot in a minute. I still think something is messed up on Vivint's end. It seems like it's erroneously always requiring MFA for remote access users for web based logins. For instance, I can login to the app with my API user without MFA but when I try to login to Vivint.com, it asks for a verification code. I tried enabling then disabling MFA for the API user. I was able to login once to Vivint.com without it requiring MFA. I logged out and tried to log back in then got the verification code prompt again. When I entered a valid verification code for that user, I got an Error-401. This does not happen with my admin user.

[mat1583]

Notes: I am not getting the verification code through email or text for my remote user. When I try to login using my admin user, I do get the code and can login, so I still think they've fubar'd remote access users. Also, if the MFA code never works, it's impossible to disable the integration and uninstall the repository. Your only option is to re-install, but the reconfigure status still prevents disabling or removing the integration at least from mobile.

[RyanFried]

Interesting. My integration is working perfectly now. Maybe they fixed the problem and you actually need to enable 2fa to use the integration?

[mat1583]

I do have it enabled for my API user and can login through the app. I think what happened is that support disabled all email and text notifications for that account when I originally contacted them about getting spammed.

[natekspencer]

Thanks for the notes, @mat1583. Normally I would try to test a myriad of variations before I released something just to try to cover as many possible variations, but I leave tomorrow morning on vacation and will be with very limited service for a week. That being said, I did try it out on my main account, as well as my API account and tested my main account with and without mfa enabled to validate those scenarios, which all worked for me. Basically what I am doing is checking if the Vivint API responds with a "401 unauthorized" and an error that states multi-factor is required. If so, then it proceeds to the MFA code screen. Then the user either automatically receives an email from Vivint or needs to check the authenticator app for the code. I plan on adding better information around that, assuming Vivint provides that detail.

I'm sure there are plenty of issues with this current release. One that I expect is having to re-authenticate on a Home Assistant restart after the initial connection session has expired. But I figured that was a minor inconvenience at the moment to have access again. Feel free to open up issues for anything you encounter though so I can tackle them when I'm back!

[mat1583]

Thanks for the quick fix. It's working for my admin user. Vivint is still apparently working on it:

From chat: I just double checked, it seems our website is still undergoing maintenance, which may be causing this log in issues. We do apologize for this, we are currently working to fix it ASAP

We do apologize for this issue, our IT team is currently working to enhance the verification code function, we will make sure to fix it ASAP

.....

It may work on the previous version once they get their issues sorted out. Who knows. What a disaster of a release for Vivint. I'd hate to be the devs on that one!!

[RyanFried]

Ok, I have done some more testing now that it is the morning. Whenever HASS restarts, it gives you a notification requiring you to re-authenticate with your password, and mfa code. But no settings are lost, or anything. So for now it still is good solution.

[mat1583]

Wow. Sounds like it will be at least a week before it's fixed. Makes me wonder if they had some kind of data breach and are scrambling to fix a major security flaw.

From chat support: I understand. I'm sorry to tell you that unfortunately our online account center is currently under maintenance as we have been experiencing this bug. But, our IT team is already working to sole this issue as soon as possible. This is a known issue we are aware of, most of the accounts are having the same message online. We apologize for the inconveniences this can cause and we hope it can be fixed during the week.

We recently receive a communication saying it will take one more week so we hope it can be resolved by the end this week.

[007GTCS]

Hi everyone, I have been sitting in the background studying this plugin and the Homebridge plugin. (https://github.com/balansse/homebridge-vivint/issues/37). Same MFA Problem.

I think I have a confirmed workaround, based off of what everyone has posted here and the other plugin. I think this boils down to two issues:

1. MFA for Admin Users
2. Cloudflare DNS for https://vivintsky.com/api

Issue 1 fix (Updated): Using the Vivint mobile app follow these steps in order:

1. Create a new (non-admin) user. -You will need another email address. Gmail has work arounds using . or + signs for your email.
2. Set the User to Guest
3. Set the user to allow mobile access
4. Invite and Confirm User
5. Use those account credentials for Homebridge Plugin.

Issue 2 fix: Cloudflare DNS is blocking connections to https://vivintsky.com/api. This needs to be corrected to https://www.vivintsky.com/api. (My assumption is cloudflare has been added and doesn't have the correct redirect rules or has web application firewall protections that are hurting this routing)

So any api connectors need the full url. Instead of https://vivintsky.com/api. It need to be https://www.vivintsky.com/api.

Doing this fixed my connection problems on the Homebridge integration. Hope this helps you all out!

[lloydbigoil]

confimed that removal of integration and creating a non admin user works. lol i got up to 160emails in 10min

[blakenorthrup]

Still not working for me, using non admin. It connects, but all devices show "unavailable". Totally removed the plugin, reinstalled, the whole 9 yards.

[mat1583]

@blakenorthrup when configuring the new integration, do you get the setup with the username/password and also the MFA verification code dialog?

[blakenorthrup]

@blakenorthrup when configuring the new integration, do you get the setup with the username/password and also the MFA verification code dialog?

Hey mat, yes. Even when I use an account without MFA or admin account. They must have baked it into their API.

[kksligh]

It works for me...my set up:

First you need to turn on the 2 step authentication on your vivint app under settings

You'll need to install Microsoft authentication app on a phone and use it to login into vivint with the 2-step process outside of HA.

Uninstall and reinstall the new vivint hacs release

After restart, you'll get a notification that says one of your integrations needs to be re-authenticated

Go to the vivint integration in HA and Configure - you'll login like normal and then a box will pop up asking for a code.

To get the code needed, you'll need to open the Microsoft authentication app and get the vivint code. Should look like this.

After you enter the code in HA it should be good to go.

Hope this helps. Mine is working good.

The one thing to keep in mind is every time you restart unfortunately you have to do this login every time. You'll get the same re-authentication notification and just repeat steps above.

On Thu, Sep 9, 2021 at 8:26 AM mat1583 @.***> wrote:

@blakenorthrup https://github.com/blakenorthrup when configuring the new integration, do you get the setup with the username/password and also the MFA verification code dialog?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/natekspencer/hacs-vivint/issues/12#issuecomment-916090512, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT3AQU733SI6ZFMRFVKHIJTUBCYZZANCNFSM5DJUEG7Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

-- Thanks,

Kale Sligh

[blakenorthrup]

Hey Kale, I followed all of the steps, and now my Vivint entities show "restored", but are still not available. I'll give it a while to see if they come online, but as of now, still no good.

[kksligh]

Dang, let me noodle on it to see if I can think of anything else.

On Thu, Sep 9, 2021 at 8:51 AM blakenorthrup @.***> wrote:

Hey Kale, I followed all of the steps, and now my Vivint entities show "restored", but are still not available. I'll give it a while to see if they come online, but as of now, still no good.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/natekspencer/hacs-vivint/issues/12#issuecomment-916116835, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT3AQU6F2J5F2ZVJYVEBAD3UBC3UXANCNFSM5DJUEG7Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

-- Thanks,

Kale Sligh

[blakenorthrup]

Ok, thank you Kale, much appreciated.

[blakenorthrup]

Kale, I just armed my system from the app and it is now working. I was able to disarm from HA. So far so good. I will keep you posted if it goes back to unavailable.

[blakenorthrup]

NM, it's back to unavailable...odd stuff.

[kksligh]

Awesome! I was going to suggest rebooting the panel and making sure it's got the latest s/w...but great news!

On Thu, Sep 9, 2021 at 9:39 AM blakenorthrup @.***> wrote:

Kale, I just armed my system from the app and it is now working. I was able to disarm from HA. So far so good. I will keep you posted if it goes back to unavailable.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/natekspencer/hacs-vivint/issues/12#issuecomment-916162706, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT3AQU7MX7IN6P235PLHLVTUBDBLZANCNFSM5DJUEG7Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

-- Thanks,

Kale Sligh

[mat1583]

I was able to login to my account (finally!) on the main site. It required the same MFA code verification process as the integration does, so it looks like this might be here to stay. I was also able to get my remote user working. Steps:

1. Edit users on the panel and revoke remote access to my api user.
2. Set the phone number and email of the api user.
3. Send invite for mobile access to the api user.
4. Login to the Vivint app on my phone with api user and accept the invite.
5. Delete the Vivint integration and restart HA.
6. Re-add the Vivint integration.
7. Logging in with api user triggered the verification code being sent to my phone.
8. Enter verification code and Voila! It all worked.

If Vivint is going to require the verification each time a user logs in, then this fix seems viable for the near future. It would be nice if Vivint had a trusted devices list so a restart of HA wouldn't trigger it each time, but that may not be part of this update they made.

Thanks so much @natekspencer for getting this fixed in a hurry! I hope you enjoyed your vacation, and apologies for all the notifications while you were away. I didn't imagine it would take this long for Vivint to get their act together and a working account login.

[blakenorthrup]

Hey Matt, did this and still no dice.

[blakenorthrup]

Not sure if this will help, but here is the logs: This error originated from a custom integration.

Logger: custom_components.vivint.hub Source: custom_components/vivint/light.py:36 Integration: Vivint (documentation, issues) First occurred: 4:07:11 PM (1 occurrences) Last logged: 4:07:11 PM

Unexpected error fetching vivint data: 's' Traceback (most recent call last): File "/usr/src/homeassistant/homeassistant/helpers/update_coordinator.py", line 187, in _async_refresh self.data = await self._async_update_data() File "/usr/src/homeassistant/homeassistant/helpers/update_coordinator.py", line 147, in _async_update_data return await self.update_method() File "/config/custom_components/vivint/hub.py", line 54, in _async_update_data return await self.account.refresh() File "/usr/local/lib/python3.9/site-packages/vivintpy/account.py", line 110, in refresh await system.refresh() File "/usr/local/lib/python3.9/site-packages/vivintpy/system.py", line 51, in refresh alarm_panel.refresh(panel_data) File "/usr/local/lib/python3.9/site-packages/vivintpy/devices/alarm_panel.py", line 161, in refresh device.update_data(device_data, override=True) File "/usr/local/lib/python3.9/site-packages/vivintpy/entity.py", line 28, in update_data self.emit(UPDATE, {"data": new_val}) File "/usr/local/lib/python3.9/site-packages/vivintpy/devices/init.py", line 166, in emit super().emit(event_name, data) File "/usr/local/lib/python3.9/site-packages/vivintpy/entity.py", line 59, in emit listener(data) File "/config/custom_components/vivint/hub.py", line 132, in _update_callback self.async_write_ha_state() File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 464, in async_write_ha_state self._async_write_ha_state() File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 498, in _async_write_ha_state state = self._stringify_state() File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 470, in _stringify_state state = self.state File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 882, in state return STATE_ON if self.is_on else STATE_OFF File "/config/custom_components/vivint/light.py", line 36, in is_on return self.device.is_on File "/usr/local/lib/python3.9/site-packages/vivintpy/devices/switch.py", line 14, in is_on return self.data[SwitchAttribute.STATE] KeyError: 's'

[natekspencer]

Just released version 2021.9.1 which should prevent having to re-authenticate on restart.

@blakenorthrup your error looks like it might be something else specifically related to switches

[mat1583]

Worked like a charm after a restart! Thanks so much, @natekspencer .

[blakenorthrup]

I got it working as well, finally, then the hurricane happened... Thank you all for the help. This is a great community👍

[natekspencer]

I got it working as well, finally, then the hurricane happened... Thank you all for the help. This is a great community👍

Sorry to hear you were in that path. Hope all is well.

[blakenorthrup]

I got it working as well, finally, then the hurricane happened... Thank you all for the help. This is a great community👍

Sorry to hear you were in that path. Hope all is well.

Thanks Nate. All is well. Power was down for 18 hours, but thankfully no damage to the house. Also, the Vivint plugin is working like a charm. I removed my Hue Hub from the picture, then reset my non admin user, then was able to authenticate. Thanks again for your hard work!