Describe the bug
The Blinkpy module accepts any 2FA code that I enter, even if it is completely wrong from the 2FA code that Blink sends in an email.

Steps to reproduce the behavior:

1. use no_prompt=False in the Auth() method
2. Run script
3. Get email from Blink for 2FA code.
4. Enter wrong code from Blink Email
5. Blinkpy will accept the code and continue on.

Expected behavior
The Blinkpy module should deny access if the 2FA code is incorrect from Blinkpy.

blinkpy version:
blinkpy==0.16.4

Log Output/Additional Information

pferland@rpi4:/mnt/6T/blink $ python3 main.py 
/mnt/6T/blink/config/.blink_config
Enter code sent to <REMOVED>: 7
Downloading Videos
Blink Cameras
Front Door - Outdoors
{'name': 'Front Door - Outdoors', 'camera_id': '<REMOVED>', 'serial': '<REMOVED>', 'temperature': 33, 'temperature_c': 0.6, 'temperature_calibrated': 33, 'battery': 'ok', 'battery_voltage': 145, <TRUNCATED>}

I reached out to the Blink Support team about this and they put the blame on the Blinkpy module. I do not believe them that this is an issue with the python module. I believe that it is an issue with their API not authenticating users correctly with the 2FA code.
So I just wanted to cover the bases and have you take a look if possible and if you are able to replicate and verify that it is not an issue with the python module I will go back to Blink Support with that evidence.

Thank you for contacting Blink Technical Support.

Regarding about the third party script that you were using right now, we no longer have any support with any third party script. If you were having trouble with your third party script. We apologize but we can't help you with that matter. We suggest you may contact the third party script operator that you were using. If the issue is with the blink application, we can definitely help you with that.
Looking forward for your response.
Best regards,
Blink Technical Support

Thank you!
-Phil

Did some further testing and it looks like if you have no_prompt=True, there will be no 2FA code sent. But that is in contrast to what the Blink API is returning, it says that the client needs verification when I do the sample CURL command.

curl -H "Host: rest.prod.immedia-semi.com" -H "Content-Type: application/json" --data-binary '{ "password" : "<REMOVED>", "client_specifier" : "Fedora 32", "email" : "<REMOVED>" }' --compressed https://rest.prod.immedia-semi.com/api/v4/account/login

"client":{"id":<REMOVED>,"verification_required":true}

Not sure exactly what is happening here. Does the client not need verification unlike the API is saying?

I can confirm I see the same behavior. If you send the wrong pin with the auth.send_auth_key method, the returned json response indeed says the PIN is invalid, but you are not blocked from subsequent API calls. Unbelievable 🤦

That appears to be a Blink issue, not a library issue. Maybe in their app they handle it so if a pin is required it doesn't allow you to make any api calls, but it's clear that you can send anything during the pin stage and are definitely not blocked.

I think the only way to get Blink to fix that on their end is to check if the same behavior exists in the app and if it does, get them to fix it. If it doesn't, my guess is they will slam the hammer down harder on third party access rather than trying to fix their buggy API. So a "damned if I do, damned if I don't" scenario.

Hmm that does seem a bit of a slippery slope there.
But, Security through obscurity is not security at all.

Will give a check on the app to see what it does.

The Official Blink App does not allow bad 2FA Pins, this seems to be they are limiting access via their app artificially.

I was able to bypass the 2FA in my script by doing the following:

auth = Auth({"username": "<USERNAME>", "password": "<PASSWORD>"}, no_prompt=True)

blink.auth = auth
blink.start()
time.sleep(5)
blink.auth.send_auth_key(blink, "1")

<Continue on with code>

And it still works downloading the videos.

So, no need for 2FA even thought Blink "Requires" it for unverified clients.

This one probably can be closed too since the validation is corrected in the new rc.

It returns false, but you're not blocked from API calls so this is still an open issue

What I am seeing is that many calls do not need the 2FA to be completed successfully. Call to homescreen is an important example. If the 2FA was not successful, but you call blinkpy again with the last token, it returns successfully from the homescreen call and the check for verification_required is not set (at least from what I've seen playing around). This allows the script to continue and calls to functions that need 2FA, such as the video download, fail.

Regret that I am not also offering how to code around that :).

@macleajb As I noted in #426, I am able to disarm and arm my system with an invalid 2FA pin (using the older blinkpy that doesn't validate the 2FA and exit on invalid pin) so yeah their API is still pretty broken.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

This issue is now being closed due to inactivity.