Hi,

Just received this from Blink. Doesn't fit in a as a FR or Bug so just posting for info. I guess we won't know impact of this until someone enables it and sees it badly implemented by Blink in the same way they did 2FA.

I enabled it. Doesn't break anything, just annoying.
You will get an SMS every rather than an email on every re-validate.
The SMS senderis shared with other stuff from Amazon (Amazon it self, Twitch and even 3rtd party), so can't be easily blocked.

@akrauze Yeah, the 2FA implementation is pretty poor (not working)
I can still arm and disarm my system with the pre-0.16.5rc0 version that doesn't exit on a bad pin.
Not an issue with blinkpy at all, it is Blink's REST API that has the bug.

Seems like they are only requiring the validated 2FA on some endpoints and not others.
Pretty bad security if you ask me.

auth = Auth({"username": "<USER>", "password": "<PASSWD>"}, no_prompt=True)
blink.auth = auth
blink.start()
time.sleep(5)
blink.auth.send_auth_key(blink, "1")
print(blinkapi.request_system_disarm(blink, '<NETWORK_ID>'))

Output:

{'id': 77274340, 'network_id': <NETWORK_ID>, 'command': 'disarm', 'state': 'new', 'commands': [{'id': 77274341, 'network_id': <NETWORK_ID>, 'command': 'config_lfr', 'state': 'running'}, {'id': 77274342, 'network_id': <NETWORK_ID>, 'command': 'config_lfr', 'state': 'running'}, {'id': 77274343, 'network_id': <NETWORK_ID>, 'command': 'config_lfr', 'state': 'running'}]}

Checked on the Blink Mobile app and it was set to Disarmed
Granted you need to know the login and password for the account, but still...
Great security Blink! /s

Yeah doesn't look like anything breaks with SMS verification so I'll close this