Two Factor Authentication (2FA)

MOD EDIT: As of 4/24/19, 2FA is now in the app!

MOD EDIT: This is now in early stage testing! :smiley:

We understand Wyze takes our privacy very seriously and appreciate the detail that has been layed out already on how our camera are setup on the back-end. To further secure this from potentially weak/compromised passwords we need optional 2fa. (Preferably with an app vs. just sms). This additional layer will help keep us all feeling more safe and keep our cameras private and Wyze out of the headlines. Thank you for addressing.


Moderator Edit: 02/22 - We have completed the requirements and will be working on an SMS authentication during the first release. We are aiming to launch this on next 2-3 versions.


Moderator Edit: Hereā€™s the work-in-progress requirements for 2FA based on feedback that weā€™ve seen here and on the forums. Feel free to add comments so we can consider your thoughts.

Link here


Moderator Edit: Do you use two-factor authentication where you are asked additional verification code as an added layer of security? If yes, which one do you prefer the most and why? Leave in comments below.

  • Google Authenticator
  • Authy
  • SMS
  • Email
  • Others (leave in comments)

0 voters

1 Like

I too feel this is very important to help prevent mischief caused if a memberā€™s password were to be somehow obtained by a bad actor.

3 Likes

Yep.

Anonymous Hacker Breaks Into A Personal Security System To Prove Itā€™s Possible` [Source: NPR]

Agreed, would feel much safer about using these in the home when this feature gets put in.

Quick question to better understand,where do you see the 2FA challenge to the place? On any login attempt Iā€™m assuming? Not on app launch. Right?

1 Like

On login attempt on any device (computer or app on the phone) when that device has not already successfully passed 2FA. If a device has already passed 2FA, then re-doing the authentication would not be required. There would need to be a page in the user account settings where all previously authorized devices could be reset (either individually or en-mass).

3 Likes

Hey. Thanks for the quick response. Taking a step back to think about this holistically, in order to have Wyze be ā€œindustry-leadingā€ in terms of privacy Iā€™d propose considering the following:

  1. ā€œBasicā€ email confirmation when installing Wyze on a second device. Basically, when setting up Wyze the first time, this device is ā€œrememberedā€ and linked to the users wyze account. If the user attempts to access their Wyze feed on a different device, they would get an email with a one time code to ā€œactivateā€ and remember the new device. This would then be saved. (Similar to the second factor confirmation used by banks/websites although by device vs cookies) This would help if a users password is compromised and would not sacrifice much user experience as people are used to this

  2. Building on this, within the user account, list out which devices are authorized to access the account and build in the ability to revoke a device. This would help provide transparency of an inappropriate device was added and so the user could disable it and change their password)

  3. within the app itself have an ā€œadvanced security sectionā€ where the user can ā€œopt inā€ to leveraging the phoneā€™s apple touch ID / Android finger printscan each time the user logs in to confirm their identity (this would protect against the phone getting stolen and the Wyze password ā€œrememberedā€ on the phone

  4. for those truly paranoid, creating a 2fa challenge question I could see this as another advanced option to your point when the account is accessed primarily for outside of an ā€œauthorizedā€ app (e.g. especially if you decide to enable accessing a feed outside the app) Iā€™d say the one time email confirmation / remembered browser would be an okay approach but a better approach would be a full timed token (e.g. authy / Google authenticor) code where the user specifies when they need to enter (e.g. Everytime or just in replacement of the email confirmation mentioned above for new devices)

Hope this helps. I know itā€™s much easier said than done but I truly believe due to the sensitive nature of where your cameras are place (e.g. bedrooms) this is needed. Paired with users having bad passwords and reusing passwords this would go far. Let me know if you want more feedback or have alternative solutions. Thank you!!

6 Likes

Thank you! This is inline with what I was assuming but it is nice to have confirmation. I had seen some requests for redoing an authentication each time the app was being launched on the device and that seemed overkill to me for a camera application.
Having said that I can see how a FaceId/TouchId/PinCode could be enabled for the application for the ā€œtruly paranoidā€ of us! :slight_smile:

The securing of the mobile application is probably the easiest to create. 2FA on the other hand will need some engineering time to figure out the number of systems impacted and the design to enable that type of feature.

5 Likes

Thanks Frederik. The ability to face/touch/pin ID the app would be good. But I think the bigger concern here is leaked account credentials. In that event, securing the app itself doesnā€™t help since the bad actor would presumably use your credentials on their own device. However, I understand that 2FA is the more difficult aspect to implement.

Agree. I was just trying to say that securing the app with the FaceId/TouchId/Pin is an easier more reachable task in the short term. The 2FA access will take some time because the solution will have to span through not only Android, iOS for the mobile app but also our web infrastructure and potentially also the forums.
This is not an easy solution and it will need some engineering time and some coordination for the launch.
I also understand that the primary request is 2FA, not the application securing.

4 Likes

Thanks Fredrick. Iā€™m in agreement with Rick. I agree with the shorter term plan and acknowledge the larger (and harder) goal of 2fa across the infrastructure. Please keep us in the loop on progress of both. These are tablestakes of protecting privacy for IOT.

2 Likes

For a related topic, see thisā€¦

Pin and/or Biometric Lock for Wyze App

Yesā€¦ Very Important to also prevent Identity Theft.

Please implement 2-factor! A notification for new logins would be awesome too.

3 Likes

Please donā€™t make donā€™t add 2FA for every login/app launch. If you do it please only do it for new devices.

1 Like

Agree that we need super security with 2FA as a minimum. You donā€™t want to see me undressed but you donā€™t know thatā€“yet.

1 Like

It would be a feature that you have to enable yourself, it wouldnā€™t be required.

1 Like

It would prevent a bad actor who obtains your login credentials from viewing your cameras on their copy of the app.

2 Likes

Seriously, Wyzeā€¦ this should be topmost in priority, in my opinion, and hereā€™s why:

IOT is a target in general, and a camera is a sweet target. If you guys get hacked, your credibility goes down the toilet permanently, and your sales will follow. A hack will do irreparable harm to your companyā€™s reputation.

Security first, features second. Features are worthless without security.

Itā€™s simply good business sense to protect your reputation and your customer first.

Please.

7 Likes

Just wanted to put a vote in for token based OTPs vs SMS based OTPs.

3 Likes