This is great that you have made the update for the 2FA authentication approach. Just wanted to remind everyone of the same comments made by the ring_alarm_mqtt developer. That if your home assistant is compromised and they are able to gather the refresh token they will have full access to your ring alarm system API. He even goes as far as saying he just added it due to the number of requests for it. The process to gain the token in essence removes 2FA. You must use 2FA to retrieve the refresh token, once you have the token 2FA is no longer needed. This is no improvement over the username and password. He goes on to explain that it might be just as useful to create service(another user) account with a very long and complex password.

The refresh token when decoded on http://jwt.io will show similar information, a user, and a random string. On rings side they just verify the tokens validity by verifying the signature of the JSON Web Token and checking the random string against the user to authorize/authenticate the API call.

Bottom line: Make sure you take every step possible to secure your HA instance as well as the plugins you are using.

It seems Ring decided to make 2FA mandatory so I guess my point is no longer valid. Interestingly, by not giving a choice, they've actually made users of this addon (or more specifically, my script) less secure because now they will be more likely to use their primary account vs creating a service account. Oh well, nothing I can do about it and Ring certainly doesn't care about 3rd party integrations like this as they don't even offer an official API or any support for 3rd party development. I guess as long as your HA system isn't compromised there's no more risk.

Please merge this pull request now that 2FA is mandatory, but consider making the location IDs an optional parameter.