Failed login -- apparent captcha

[taddat]

When I run the script I receive the following login error:

cookie does not exist. logging in ...
ERROR: Amazon Login was unsuccessful. Possibly you get a captcha login screen.
 Try logging in to https://alexa.amazon.com with your browser. In your browser
 make sure to have all Amazon related cookies deleted and Javascript disabled!

 (For more information have a look at /tmp/.alexa.login)

When I try to login to https://alexa.amazon.com with javascript disabled I get a captcha screen. I looked at /tmp/.alexa.login and it shows a captcha request as well.

Any suggestions?

[adn77]

Did you try solving the captcha and logging in on the browser? Does the captcha come every time?
Sometimes you are only presented with a captcha, when Amazon recognizes some unusual login patterns...

If that is the case then that would mean you're out of luck for the time being...

I am already working on cracking the captchas using tesseract as they sometimes tend to be not too hard. But that is still far from straight forward.

[taddat]

Yes, I tried solving the captcha and logging in from the browser with javascript disabled, however I just get a blank page (the alexa page apparently does not load properly with javascript disabled). With javascript enabled, I can login/logout without receiving any captchas.

I suppose I'm out of luck?

[adn77]

The blank Alexa page without enabling JS is OK - the point is if you get a Captcha login each time you login without JS in your browser (as this is what we're essentially doing with the script as well).

For some people it was enough having solved the Captcha once - if that is not the case then unfortunately the script will not work for you, sorry!

In fact, amazon.com seems to be much more restrictive on non-JS enabled logins - I've heard from quite a few that it doesn't work for them.

[jlippold]

I had the same problem. Add this extension to chrome https://chrome.google.com/webstore/detail/cookietxt-export/lopabhfecdfhgogdbojmaicoicjekelh

Then goto https://alexa.amazon.com/, login to amazon, and run the extension.
Paste the text into /tmp/.alexa.cookie and you've bypassed captcha's and possibly 2fa.

[adn77]

You are right - this perfectly works!
Unfortunately this cookie is only valid while the session is maintained by Amazon. That is why the script tries to do the login for you (if there is no captcha). Unless you run the script with the "-l" parameter, your cookie will stay untouched until it is invalidated by Amazon.

[taddat]

Very cool -- thank you for sharing the suggestion regarding the cookie export. This indeed does work. Any idea how long the cookie lasts?

I'm a big fan of this script-- when used in conjunction with the ha-bridge (Alexa to Vera bridge) I'm able to simply tell Alexa "turn on the music" or "turn on the fan" or "turn on the TV" and the appropriate command is sent based on the location of the Echo/Dot that received the command. This is possible for lights only with Amazon's addition of "room awareness," but they haven't extended the functionality to other non-light devices. This dramatically increases the usability of my Echos/Dots for home automation purposes.

[jlippold]

I've been using the cookie trick for about 3 weeks now

[JamesValero]

Not sure what I'm doing wrong

Steps

1. Enable extension in incognito mode
2. Open a new incognito session
3. Login https://alexa.amazon.com
4. Copy results from the extension*
5. Paste results to /tmp/.alexa.cookie
6. ./alexa_remote_control.sh -d Office -e vol:0
   `cookie expired, logging in again ...
   ERROR: Amazon Login was unsuccessful. Possibly you get a captcha login screen.
   Try logging in to https://alexa.amazon.com with your browser. In your browser
   make sure to have all Amazon related cookies deleted and Javascript disabled!

(For more information have a look at /tmp/.alexa.login)`

The linked extension isn't working anymore but did use cookies.txt* and seems to have the same output.

*https://chrome.google.com/webstore/detail/cookietxt-export/lopabhfecdfhgogdbojmaicoicjekelh

[jlippold]

Hey James,

Just FYI, the workaround I posted doesn't persist for long enough. It maybe lasted for 2 weeks max, so I stopped using this script. I think amazon's security is tighter in the US, because there's no reliable way to automate my account login.

But to answer your question, maybe add the -l parameter that @adn77 posted earlier

[JamesValero]

Thanks for pointing out -l. Missed that.

Do you have an alternative? Feel free to PM me if needed.

I have been playing around with AlexaNotificationCurl but it acts as an additional Echo device than controlling an existing one.

[adn77]

@JamesValero the -l just calls the logout endpoint in Alexa and deletes all /tmp/.alexa* files.
I put this there in order not to have too many open sessions with Amazon (which might lead to blocking).

In fact for amazon.com I have not heard of anybody having authenticated succesfully using the script.
When I use my browser (cookies deleted, Javascript disabled) to login to amazon.com, I always get the captcha. This might be due to the language settings of my browser or my geographical location.
Try your borwsers first - if you succeed to login without getting a captcha, please let me know the Request-Headers that were sent for successful login.

As to the AlexaNotificationCurl, this makes use of the Alexa Voice Services. That is a well documented API that let you use TTS and voice recognition. Unfortunately this has nothing to do with the Echo devices. The only thing you can do is to connect an Echo via Bluetooth as an external speaker to your AVS processing device.

[jlippold]

@adn77 have you tried inspecting the data being sent from the mobile alexa application? Also, ever considered swapping out curl with a headless browser that can run JS, like selenium or nightwatch?

[adn77]

@jlippold the mobile app would be the way to go - yet this is very likely not legally permitted, thus I am not admitting anything ;) The app probably uses some sort of OAuth2. If one was to use the app's client-id, retrieve the app's client-secret, and implement a proper OAuth flow this could actually work.

Implementing a JS capable headless browser has been tried before (CasperJS) but besides rendering the script unusable on router-like machines does not accomplish much since Amazon may very well give you a Captcha screen there as well.

[jlippold]

FWIW, I've never seen the Captcha with JS enabled, and although a headless browser would raise the barrier to entry, it's better than having no entry at all.

Nevertheless, the mobile app is using an OAuth strategy and I wouldn't know how to obtain the secret since it's likely stored server-side. The only other difference I see is the UserAgent is AmazonWebView/Amazon Alexa/2.2.216514.0/iOS/11.3.1/iPhone

[Apollon77]

For me it worked multiple times (while testing a Javascript port of this cool script) to use the browser-without-javascript way to get the possibility back top use the shellscript (or my javascript port)

[jlippold]

@Apollon77 whats the repo address for the JS version?

[Apollon77]

I currently forced the work started by someone else and try to sync it now ...

Get Cookie: https://github.com/Apollon77/alexa-cookie (Done)

General functions at https://github.com/Apollon77/alexa-remote (WIP) :-)

[jlippold]

Cool, let me know if you need some help. Maybe you can get this eventually published on npm as a library for others

[Apollon77]

This is the plan also also already available from the original developer ... but he seems to be inactive currently.

So for now I sync with your functionality and fix and test things ... and use it in the project it originally was developed for as proof.

At latest when I'm done with this I see if I was able to contact the developer or if I just publish as forked-library on npm under new name.

Thank you for offering your help ... currently it works well to "reverseengineer" your skript (I added --trace-ascii to all the curl calls, so I get the real request/responses :-)

[walthowd]

@Apollon77 I'm trying to test your JS version, but not having any luck getting devices populated -- and I can't tell if my login was successful or not? I'm running Node v9.8.0 with the latest current version of alexa-cookie (modified to use US Amazon server) and alexa-remote.

example.js

let Alexa = require('alexa-remote');
let alexa = new Alexa();

/***************************************************************/
// see: https://www.gehrig.info/alexa/Alexa.html
// cookie starts with x-amzn-dat and ends with =" csrf=12345780
let cookie = 'x-amzn-dat.../ /...=" csrf=12345780';

alexa.init({
        cookie: cookie,  // cookie if already known, else can be generated using email/password
        email: '[email protected]', // optional, amazon email for login to get new cookie
        password: 'XXXX', // optional, amazon password for login to get new cookie
        bluetooth: true,
        logger: console.log, // optional
        baseUrl: 'pitangui.amazon.com' // optional, e.g. "pitangui.amazon.com" for amazon.com, default is "layla.amazon.de"
    },
    function () {
        for (let device of this.devices) {
            console.log (device._name);
        }
    }
);

Output

Alexa-Remote: cookie was provided
Alexa-Remote: Sending Request with {
  "host": "pitangui.amazon.com",
  "path": "/api/bootstrap?version=0",
  "method": "GET",
  "timeout": 10000,
  "headers": {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0",
    "Content-Type": "text/plain",
    "csrf": "12345780",
    "Cookie": "x-amzn-dat.../ /...=\" csrf=12345780"
  }
}
Alexa-Remote: Authentication checked: false
Alexa-Remote: Cookie was set, but authentication invalid, retry ith email/password ...
Alexa-Remote: No cookie, but email and password, generate cookie
Alexa-Cookie: Step 1: get first cookie and authentication redirect
Alexa-Cookie: Sending Request with {"host":"alexa.amazon.com","path":"","method":"GET","headers":{"DNT":"1","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0","Accept-Language":"en-US","Connection":"keep-alive","Accept":"*/*"}}
Alexa-Cookie: Response (302) - Redirect to https://www.amazon.com/ap/signin?showRmrMe=1&openid.return_to=https%3A%2F%2Falexa.amazon.com%2F&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=amzn_dp_project_dee&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&
Alexa-Cookie: Sending Request with {"host":"www.amazon.com","path":"/ap/signin?showRmrMe=1&openid.return_to=https%3A%2F%2Falexa.amazon.com%2F&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=amzn_dp_project_dee&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&","method":"GET","headers":{"DNT":"1","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0","Accept-Language":"en-US","Connection":"keep-alive","Accept":"*/*","Cookie":""},"body":""}
Alexa-Cookie: Response (200)
Alexa-Cookie: Step 2: login empty to generate session
Alexa-Cookie: Sending Request with {"host":"www.amazon.com","path":"/ap/signin","method":"POST","headers":{"DNT":"1","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0","Accept-Language":"en-US","Connection":"keep-alive","Content-Type":"application/x-www-form-urlencoded","Referer":"https://www.amazon.com/ap/signin?showRmrMe=1&openid.return_to=https%3A%2F%2Falexa.amazon.com%2F&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.assoc_handle=amzn_dp_project_dee&openid.mode=checkid_setup&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&","Cookie":"session-id=134-4067158-5194560; session-id-time=2161955417l","Accept":"*/*"},"gzip":true,"body":"appActionToken=jvKINAS7ED1j2B0znunemyzUhiHaEj3D&appAction=SIGNIN&showRmrMe=ape%3AMQ%3D%3D&openid.return_to=ape%3AaHR0cHM6Ly9hbGV4YS5hbWF6b24uY29tLw%3D%3D&prevRID=ape%3AMlpBQVlYOUNGNFJFNVlZWDFUUzE%3D&openid.identity=ape%3AaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjAvaWRlbnRpZmllcl9zZWxlY3Q%3D&openid.assoc_handle=ape%3AYW16bl9kcF9wcm9qZWN0X2RlZQ%3D%3D&openid.mode=ape%3AY2hlY2tpZF9zZXR1cA%3D%3D&failedSignInCount=ape%3AMA%3D%3D&openid.claimed_id=ape%3AaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjAvaWRlbnRpZmllcl9zZWxlY3Q%3D&pageId=ape%3AYW16bl9kcF9wcm9qZWN0X2RlZQ%3D%3D&openid.ns=ape%3AaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjA%3D&showPasswordChecked=false"}
Alexa-Cookie: Response (200)
Alexa-Cookie: Step 3: login with filled form, referer contains session id
Alexa-Cookie: Sending Request with {"host":"www.amazon.com","path":"/ap/signin","method":"POST","headers":{"DNT":"1","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0","Accept-Language":"en-US","Connection":"keep-alive","Content-Type":"application/x-www-form-urlencoded","Referer":"https://www.amazon.com/ap/signin/134-4067158-XXXXXXX","Cookie":"session-id=134-4067158-XXXXXXX; session-id-time=2161955417l; ubid-main=133-1515041-XXXXXXX","Accept":"*/*"},"gzip":true,"body":"appActionToken=jvKINAS7ED1j2B0znunemyzUhiHaEj3D&appAction=SIGNIN&showRmrMe=ape%3AMQ%3D%3D&openid.return_to=ape%3AaHR0cHM6Ly9hbGV4YS5hbWF6b24uY29tLw%3D%3D&prevRID=ape%3ANFNGTVZETlEzSkNISDBUOEpaNlM%3D&openid.identity=ape%3AaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjAvaWRlbnRpZmllcl9zZWxlY3Q%3D&openid.assoc_handle=ape%3AYW16bl9kcF9wcm9qZWN0X2RlZQ%3D%3D&openid.mode=ape%3AY2hlY2tpZF9zZXR1cA%3D%3D&failedSignInCount=ape%3AMA%3D%3D&openid.claimed_id=ape%3AaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjAvaWRlbnRpZmllcl9zZWxlY3Q%3D&pageId=ape%3AYW16bl9kcF9wcm9qZWN0X2RlZQ%3D%3D&openid.ns=ape%3AaHR0cDovL3NwZWNzLm9wZW5pZC5uZXQvYXV0aC8yLjA%3D&showPasswordChecked=false&email=myeamail%40gmail.com&password=password"}
Alexa-Cookie: Response (200)

TypeError: this.devices is not iterable
    at AlexaRemote.<anonymous> (/Users/hass/alexa-remote/example.js:18:33)
    at getCookie (/Users/hass/alexa-remote/node_modules/alexa-remote/alexa-remote.js:70:41)
    at /Users/hass/alexa-remote/node_modules/alexa-remote/alexa-remote.js:55:21
    at request (/Users/hass/alexa-remote/node_modules/alexa-cookie/alexa-cookie.js:189:21)
    at IncomingMessage.<anonymous> (/Users/hass/alexa-remote/node_modules/alexa-cookie/alexa-cookie.js:69:33)
    at IncomingMessage.emit (events.js:185:15)
    at endReadableNT (_stream_readable.js:1101:12)
    at process._tickCallback (internal/process/next_tick.js:114:19)

[Apollon77]

Please move this to the Github of te right project :-) But in general you get an error because of Captcha or such and so the init callback is called with an err parameter ... so you need to provide your code because the error is there :-)

[walthowd]

Thanks @Apollon77 -- I don't see that you have issues turned on in your project, or I would have bugged you over there.

So still captcha occurring with your JS code? Do you see that anywhere in my output? If so, that seems to follow the pattern that Amazon is more aggressive with security and captcha prompts on the US servers.

[Apollon77]

I see it from the stack trace ...

alexa-cookie.js:189:21 is called when an error happened and is returning that to your code that called "Init"

Change your code to

alexa.init({
        cookie: cookie,  // cookie if already known, else can be generated using email/password
        email: '[email protected]', // optional, amazon email for login to get new cookie
        password: 'XXXX', // optional, amazon password for login to get new cookie
        bluetooth: true,
        logger: console.log, // optional
        baseUrl: 'pitangui.amazon.com' // optional, e.g. "pitangui.amazon.com" for amazon.com, default is "layla.amazon.de"
    },
    function (err) {
        if (err) {
            console.log(err);
            return;
        }
        for (let device of this.devices) {
            console.log (device._name);
        }
    }
);

Yes it seems that captcha is needed for you. Did you tried with a chrome with disabled JS and incognito mode?

PS: Isues turned on now

[liv-in-sky]

I also got this captcha error -maybe this helps: the solution for me was to chance the BROWSER entry in the script

old : BROWSER='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0'
BROWSER='Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36'

now it is working again

[Apollon77]

Also one info: also one other user reported this as working, but also used the scripft on a linux server ... so better matched with this user agent

Update: Also macOS is better working with the linux one

[Apollon77]

@jlippold As info ... I did a step more and added a "http proxy" to my lib. so when automatic retrieval fails user can use the proxy to just do the login by itself, solving all captchas and 2FA and stuff and then library catches the cookie in the background. and it uses user-agend and accept-language as defined, so higher chance to have it working automatic next time :-)

[sujitrp]

Any work around on login issue using cli ? tried cookie but no luck .
I will really love to use this function to play alexa on G home box .

[Apollon77]

The plain solutions are to play around with User-agent (the Linux one shows good success mostly), but as soon as you have 2FA or other things you need to do things at least once manually.

I think Proxy-kind solutions like OpenHab and ioBroker are doing are no real options for this case here :-)

[bparees]

for what it's worth i found that the cookies.txt extension in firefox generates a usable cookies.txt file and the extension for chrome does not (at least on linux). I haven't compared the two files to see why that would be.

But if the session expires in just a few weeks then that's of marginal use anyway.

[durango99]

@bparees thank you for that tip. On Windows, copying the the cookies.txt from Chrome always generated a expired login. Using your suggestion of Firefox (still in Windows) copying the cookies.txt worked.

While session expiration is still an issue, I can at least test things out.

[goldfndr]

Something I've noticed is that the signin page uses apostrophes instead of quotes for the name/value line. So when the "login empty to generate session" line runs, it tries to evaluate <input type="hidden" name='ue_back' value='1' /> but fails because it isn't <input type="hidden" name="ue_back" value="1" /> and outputs a zero length .alexa.postdata2 file.

I changed the parsing to apostrophes but evidently the 1=ue_back& is insufficient.

Additionally, neither the first page nor the second page appears to offer any cookies. So, the second page retrieval with the "blank" signin won't work for now. (Edit: looks like it varies in when it offers cookies; investigating.)

[jaccardinal]

For Canada :
I have been able to get rid of the cookies problem just by changing :

AMAZON='amazon.ca'

ALEXA='alexa.amazon.ca'

Jaccar

[noureddin212]

Hello
I am still having the Captcha issue I use amazon.fr
Is this solved ? I am not a developper can somebody put an easy wiki to follow ?
Regards

[intershopper]

I have also the same issue but I have tested it the whole day. It seems amazon has something change. Login in alexa.amazon.com works well. I have also copy the cookie from browser dev tools but I don't have success
Regards Frank

[dbloms]

Since a few days, I can't login either. My thought is that they have changed something.

[jaccardinal]

For a few days I have been having the same problem here in Montreal, Canada

[noureddin212]

I do not know if there is people that are able to use this script ... But I found the same sort of script on the openhab2 that did work If we are not able to make work this or have a lack of support ... Le ven. 9 nov. 2018 à 21:14, jaccardinal <[email protected]> a écrit :

…

For a few days I have been having the same problem here in Montreal, Canada — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#10 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AfwZf2WU_5z_enVyuRbEpwNMdW26ICTxks5uteIrgaJpZM4TAutl> .

[Apollon77]

It is mainly because of changes by Amazon and it is very hard to run behind them.

Openhab and also iobroker/ my nodejs lib are using more enhanced ways in the meantime using a webproxy and much magic ... to Build this as a Shell Script is very hard to impossible (in my eyes). But there are thoughts how to make it More future proof...

[shaansheikh]

So is there currently no way to login? Where can I find this openhab script? Does setting cookies.txt by manually copying the cookie from firefox work?

I am looking for a way to programmatically make my echo say something unprompted. If I get login to work in this repo, is that what the speak functionality does?

[Apollon77]

If nodejs is also an option you maybe can look into https://github.com/Apollon77/alexa-cookie or even https://github.com/Apollon77/alexa-remote/ that are using the same "proxy based" mechanisms incuding refresh capability

[dbloms]

@shaansheikh: there is an openhab binding for alexa. Please have a look at https://www.openhab.org/addons/bindings/amazonechocontrol/.

[adn77]

@shaansheikh of course you can always use a valid Firefox/Chrome cookie. But that fails the purpose of the script ;)
If you get a Captcha in your browser (emptied cache and JS turned off) then openHAB or IObroker are the only ways to go.
Both solutions are much more mature and they offer a proxy-service that shows you the Amazon login screen in case you would be getting a Captcha.

As far as I know @Apollon77 and the openHAB developer implemented a funktionality that will refresh the cookie, so that you'd have to go only once through the browser based verification.

[rich-gepp]

Hi all,

Sorry for resurrecting this relatively old issue, but thought I'd share an alternative approach to avoid Amazon's use of captcha that prevents automated clients from logging in. @thorsten-gehrig suggested somewhere (can't find it now) that Amazon does not use captcha when using MFA, so I've forked this project and introduced support for MFA. I've been running it successfully since March, so invite anyone who is still having issues to use the modified script. You can find it here.

It introduces a dependency on oathtool, but it's enough easy to install. I'm more than happy to open a pull request to upstream it if it is deemed valuable. Cheers!

[taddat]

Hi all,

Sorry for resurrecting this relatively old issue, but thought I'd share an alternative approach to avoid Amazon's use of captcha that prevents automated clients from logging in. @thorsten-gehrig suggested somewhere (can't find it now) that Amazon does not use captcha when using MFA, so I've forked this project and introduced support for MFA. I've been running it successfully since March, so invite anyone who is still having issues to use the modified script. You can find it here.

It introduces a dependency on oathtool, but it's enough easy to install. I'm more than happy to open a pull request to upstream it if it is deemed valuable. Cheers!

Interesting -- thanks for the heads up. One question - how do you set the value for "SET_MFA_SECRET" in your code? Does Amazon provide permanent codes when you enable 2FA?

[rich-gepp]

They are not permanent codes. The way MFA works is that both parties have a shared key which allows them to generate a one-time password (OTP) based on time of day and other factors according to RFC 6238. The shared key acts as a seed to generate the one-time passwords according to the algorithm in RFC 6238.

On Amazon, you can get the MFA shared key when you are invited to scan the barcode for MFA. Instead of scanning the barcode, click the Can't scan barcode link, and it will reveal the MFA shared key.

I would recommend setting up MFA with your mobile first (once it has been used on your preferred device, you can elect to not get asked again), and then create a shared key for use in your scripts by navigating to Your account>Login & security>Advanced Security Settings and choosing Add new app. to create a new (additional) MFA shared key. Select Can't scan barcode link and copy the key (step 3) and paste it into the script in place of the value for SET_MFA_SECRET. Either go back and use the barcode in your favourite MFA OTP generator (e.g. Google Authenticator) or use oathtool to generate the OTP to complete the setup:

oathtool --base32 --totp "MFA_SECRET_COPIED_FROM_AMAZON"

Type the OTP into the text field and click Verify code and continue. Then your Amazon setup is done.

The script will use MFA if the SET_MFA_SECRET script variable is set (or the MFA_SECRET environment variable is set), so remember to uncomment the line if using the script variable. If neither is set, then the script will perform as per the original with no MFA.

GLHF.

[adn77]

@rich-gepp thanks for the contribution! I included it in the latest version.
(took some time as I had to cross-compile oathtool for the hardware that I use for alexa_remote_control ;) )

[LordDarkneo]

Hi all!
I am facing the same issue with Amazon.fr. I activated the MFA and generated the MFA key successfully. But then I am stuck, because I am trying to execute the sh on a Synology..

./alexa_tts.sh: line 357: /usr/bin/oathtool: No such file or directory
ERROR: Amazon Login was unsuccessful. Possibly you get a captcha login screen.
 Try logging in to https://alexa.amazon.fr with your browser. In your browser
 make sure to have all Amazon related cookies deleted and Javascript disabled!

 (For more information have a look at /tmp/.alexa.login)

 To avoid issues with captcha, try using Multi-Factor Authentication.
 To do so, first set up Two-Step Verification on your Amazon account, then
 configure this script (or the environment) with your MFA secret.
 Support for Multi-Factor Authentication requires 'oathtool' to be installed.

For those that would not understand: I cannot install oathtool package on DSM... Any workaround solution to avoid this package?

EDIT: Just in case, I tried to use my RPI to run the script. I do not have the oathtool error but still the connection is unsucceful...

cookie does not exist. logging in ...
ERROR: Amazon Login was unsuccessful. Possibly you get a captcha login screen.
 Try logging in to https://alexa.amazon.fr with your browser. In your browser
 make sure to have all Amazon related cookies deleted and Javascript disabled!

 (For more information have a look at /tmp/.alexa.login)

 To avoid issues with captcha, try using Multi-Factor Authentication.
 To do so, first set up Two-Step Verification on your Amazon account, then
 configure this script (or the environment) with your MFA secret.
 Support for Multi-Factor Authentication requires 'oathtool' to be installed.

I tried the connection on my chrome browser (In private mode, without JS), it ask for a code sent on my cell phone...

[adn77]

You seem to have multiple issues here. Make sure, Amazon uses the Authenticator App for MFA logins.

What type of Synology do you use? Try downloading the Openwrt package of oathtool for your architecture and extract the binary and liboath. You might have to set LD_LIBRARY_PATH before running the alexa script.

[LordDarkneo]

Hi and thanks for your answer.

Yes Amazon is correctly setup (I have 1 app registered on MFA).

For Synology I'll try to find a way to install the needed library. But why is it not working on rpi?

[adn77]

@LordDarkneo regarding getting it to work on your Pi:
Can you confirm that you installed oathtool, and set the environment variables EMAIL, PASSWORD, MFA_SECRET?
Your MFA_SECRET should look something like "1234 5678 9ABC DEFG HIJK LMNO PQRS TUVW XYZ0 1234 5678 9ABC DEFG"

[LordDarkneo]

Hi, I did not set environment variable, I just filled the information in the configuration file.... MFA secret is like you said ;)

[prodigy7]

Login issue here to. Script worked the first time without any problems. Now I got

cookie does not exist. logging in ...
ERROR: Amazon Login was unsuccessful. Possibly you get a captcha login screen.
 Try logging in to https://alexa.amazon.de with your browser. In your browser
 make sure to have all Amazon related cookies deleted and Javascript disabled!

 (For more information have a look at /tmp/.alexa.login)

 To avoid issues with captcha, try using Multi-Factor Authentication.
 To do so, first set up Two-Step Verification on your Amazon account, then
 configure this script (or the environment) with your MFA secret.
 Support for Multi-Factor Authentication requires 'oathtool' to be installed.

Look into /tmp/.alexa.login shows me, amazon is requesting a captcha confirmation

[martinorob]

Same here...

[abhatikar]

Here are the steps to be followed to fix the issue.

1. go to your amazon. and go to accounts option to enable MFA
2. In the section Backup methods, add a new app
   3 You should see a QR code. Click the link below saying cannot read QR code.
3. Copy the MFA code e.g KG32 2TCT PLCC O6MK GOMS TZTV 7G6A FMQY Q3AL YZMV WLA7 PHWF 75PQ.
4. Open the script alexa_remote_control.sh and add above code to MFA_SECRET.
5. run the ./alexa_remote_control.sh -a
   7 if you get the same cookie error, run the command
   oathtool --base32 --totp "MFA_SECRET"
   The result of the command would be a number, copy that number and go to the browser where you got the MFA code and enter that code in the box below saying OTP and click submit
6. Return back to the terminal and run the ./alexa_remote_control.sh -a