I’ll let you figure out what NFW is; my hint is the last word is “way”.
A camera app requiring 2FA is one of the dumbest ideas I’ve seen in a while. The app needs to have instant access to the cameras, not delayed (more than it can be by traffic and servers) waiting for a text message and entering a code. What type of dev discussion went on that failed to think this through?
If you can’t figure out a way to secure an app on a cell phone without 2FA, you need to hang it up. I don’t have a problem with using it on the website, but when a camera alert took me to the warning screen about future 2FA (which locked up, lol) that’s absurd!
I’m done if that is actually going to be the case.
I have been using 2FA for years now with the Wyze App. When you first start the app, you are prompted for your 2FA, after that, there are no other prompts unless you log out of the app, byu Clicking Sign-out. Shutting the App down does not constitute a log out.
When I click on my Camera to view a Live Stream, it will connect quickly and does not prompt for 2FA during the process.
So there is no delay when turning on 2FA. It simply ensures no one else can install the app and get to your cameras without being authenticated first
This is something that Wyze has on their support page, here is an image of what it says:
Not using 2FA. I haven’t logged out of the app on three different devices for… at LEAST six months. I wonder if using 2FA will require a more frequent authentication ‘refresh’ (log-out/in.)
Nope, unless I logout, it actually functions as if you did not have 2FA. It is actually protecting the App and by Proxy the Cameras then. No one can log into your App without 2FA.
Try it, but save the Backup Auth-Code in case of any issues.
Like I said, I have been using it for years without issue. Knock on Wood
It’s still stupid to require users to use it…just as it is stupid to require secure access points in order to connect a camera to the network. There are many situations where a secure network is not needed and the decision should be left to the end-user and not the manufacturer. They are trying to make the security of their products idiot proof while, at the same time, are assuming all of their customers are idiots. I was an early adopter to Wyze, have many of their cameras, and their doorbell, but I this decision (along with their decision to abandon and not include RTSP as a standard feature) has me looking for alternatives to replace my cameras. RTSP is a standard feature in even the most secure cameras available on the market.
Well, then I’ll withdraw my objection if that is the case.
I was annoyed this morning since the alert came to my watch. I dismiss most of them since they aren’t of concern, but this one was real. Hit “show on phone” and get the 2FA warning (not the one above) popup with a spinner and had to shut down the app to get out of it. By then, the doorbell alert was useless.
They should clear up their messaging so it reads as you explained vs just saying “when you login”…
I hear what you are saying, but don’t share your sentiment. My Wife’s identity was almost stolen, thankfully we were able to get it resolved. 2FA is a safe guard and by no means is Wyze indicating that us customers are idiots. But you have to remember, currently most of the products use the cloud, so securing the app is a step to ensuring a secured environment.
I have been using 2FA since release and have not had an issue. In reality, you set it up, start the app, put it in and you are done. you are not prompted going forward from the app. On a browser you are, when you log on.
Personally, I err on the side of caution in these cases.
Yea, I understand the concern everyone has, especially if I have to use it every time I start the app, but that is not the case. Trust me, I set it and then was never prompted for about a year, I had to enter it again when I logged out of the app and then back in. But that is it.
I’ve had my identity stolen, too, and use 2FA for accounts I find it necessary to use it with. An app that gives one access to “smart” devices is not one of those accounts.
I constantly read about people within other smart environments (I have had many ). stating that someone is controlling lights, thermostats, alarms, etc. Those individuals did not secure their apps and somene hacked the credentials and was able to do what they wanted.
So what is worse, turning it on and forgetting about it, or going through a situation like this and having to deal with it.
Like I said, I respect your decision, and everyone has to make their own.
Cannot speak to that as I never use the SMS method when I can use an Authentication App. Phone devices are too easily spoofed so your Texts / SMS can go to other devices. So I avoid those.
Have you had an issue where your phone number changed and your account was lost? Curious as this is something which should be reported if it has not.
Also, with SMS, does it provide a backup Auth Code like what is provided for tha app
EDIT
I will test this later today as I have a test account I will be securing soon.
Someone explain how Multifactor Auth works as a security measure when a person who has my phone, gets past my Bio/password, is now logged into my phone, can launch the app, gets either the app code or text on the same device? (Note, as mentioned before in this thread, SMS/IMEI can be easily spoofed, Please use an app.)
MFA is supposed to be something you know and something you have that is external to what is trying to authenticate.
This looks like a “feel good” and not real security! This is coming from someone with over 20 years doing IT security though.
No, I’m simply repeating what the current Wyze 2FA FAQ page details.
I don’t have 2FA on Wyze. I have had endless issues with 2FA on work and personal apps and web sites and devices. It’s very much a necessary - when actually NECESSARY (hint: not necessary for monitoring the street or a hamster cage) - evil.
My identity was stolen in a data breach and neither abuse of it required a login. Sure, there are still some lax admins who maintain uid/pwd in text or poorly hashed. And never, ever, ever reuse passwords or use slight variations is the golden rule.
But I did in my earlier reply admit I was wrong in my interpretation of how it was going to be used. I based it on many secure apps that do log you out when you close the app, which is protecting against someone with unauthorized access to your phone; which 2FA does nothing for.
Sorry, I have to ask: “Phone devices are too easily spoofed so your Texts / SMS can go to other devices”
Beyond TV and Movies, that’s pretty substantial hack to redirect a server connection to the SMS provider to change the phone number??
Two main ways. One is “social engineering” - calling you phone provider and tricking them into porting your phone number. The other is SIM cloning or forwarding your number via similar lies.
Both are pretty unlikely unless someone is specifically out to get you and willing to pay for it.
I constantly read about people within other smart environments (I have had many ). stating that someone is controlling lights, thermostats, alarms, etc. Those individuals did not secure their apps and somene hacked the credentials and was able to do what they wanted.
I’ve been in the industry for 22 years and the only way that would happen would be if the system is garbage. Back in the day we used to forward ports to give end-users remote access to their home control systems and, even when people or bots found the ports, they still couldn’t control anything. All they could do was see the command prompt for the processor and attempt to access it. It didn’t become a real issue until about 10 years ago when bots started attacking the ports and figured out how to load into the file system. Since then we secure the system via SSH and have had zero issues since. These systems are being run in the largest residences and businesses in the world and guess what…no 2FA/MFA. 2FA/MFA isn’t even an option for those systems…but I guess a manufacture of the most inexpensive IP cameras and bathroom scales knows a lot more than a multi billion dollar control system manufacturer…right?
Wouldn’t an oversight like this disqualify a young company (Wyze) from receiving $100M from its venture angels? I mean aren’t these angels the ones living in the largest residences in the world?
). stating that someone is controlling lights, thermostats, alarms, etc. Those individuals did not secure their apps and somene hacked the credentials and was able to do what they wanted.