2FA=NFW Really?

Never said they did. Was just giving examples of why 2fa matters.

Are these server login hardware token devices, much like a CAC, implemented and required by the site for secure login? Or can these be installed and employed by the individual on a local device for either device login or configured for specified app access?

I have considered NFC or Bluetooth Token devices, but never did the deep dive on customization ability or pulled the trigger to try one.

Here is a question for discussion for the Cyber Security folks in this thread.

Many of my finance, banking, and benefits sites require 2FA to login. However most of those have Biometric login capabilities that will meet their security requirements rather than 2FA.

I use my fingerprint for nearly all my banking and finance sites without the need for any 2FA.

Where does the use of Biometrics fall on the security scale in relation to the Authenticator App, SMS, and Email 2FA Wyze is requiring?

Is this a viable alternative to the 2FA?

The request for Biometric Login has been on the #wishlist for nearly 2½ years with only 13 votes.

The problem is that security is only as good as the users, both external and, more importantly, internal.
Against high-value targets, BFAs and Distributed BFAs are really easy to prevent using a good firewall/server combination. It’s a minimal amount of code on a server.
The internal errors are what causes the most damaging data breaches. Some of these have given up the “keys to the kingdom”, as Kevin Mitnick puts it. No security on the user side can override that type of hack. Well, none widely available beyond very high security sites.

My start of this thread wasn’t intended to bash 2FA, just to question its use as it appeared in the email from Wyze. Coupled with two doorbell alerts that failed to allow me to see them on the app, which is probably not related to 2FA but I got the 2FA popup as the app locked up.

They didn’t… Or at least they didn’t mention it until people started screaming about being forced to use 2FA

Biometric login is 2FA (typically). Your password (what you know) is the first factor and your print (what you have / are) is the second factor.

Understood, the password is what I have to use for initial entry when I turn on biometric fingerprint. However for any entry to that app after logging out, I only provide the one fingerprint, no user\pass. It then uses the embedded fingerprint verification stored on my phone as the single verification of identity. I don’t have to provide my User\Pass again unless I choose to log in without fingerprint, in which case it defaults to SMS 2FA without ANY choice of opting out.

I was just curious to get a comparison of where it ranked in the “How secure is it?” scale ext to email, SMS and Authenticator 2FA.

1 Like

I use a yubikey for many things. They can plug into your phone or pc USB port.

Check out their integrations and sites they work with. You can unplug it for extra security , or even leave it plugged in. You NEED this in the computer/phone you are logging in with. There is another version you have to physiclly touch when it asks. If someone used your credentials, they would have to touch the device in your possession.

1 Like

Biometrics are very secure, as really are most all device level security features. Unless you have some unique situation, breaking into a secure device isn’t easy and not worth the effort. As mentioned in other posts, if you’re successfully phished or smished, all bets are off regardless of the device.

My only issue with biometrics is that they are as good as the reader. For whatever reason, my fingerprints suck; maybe too much time on a keyboard? :grin: It took multiple tries for a sheriff to get a good set for a background check on a high level reader. But that’s probably not most people.

The problem is the concept of what security is appropriate to the situation. On some of my apps; if my phone is logged in and attached to me, I don’t want any auth scheme. Getting an important alert while, say driving, needs to be instantly available without jacking around with a password or bio auth. My phone has no issues with that since it is within my vehicle and either on my body or within feet of my watch.

The second potential issue is where a company, like Wyze for example, draws the security line. They use an SSO for login to this forum. Depending on time and what side of the bed I got out of, I might blow off an email to a discussion to do a 2FA. Sometimes you just want to see something quick and could be multi-tasking. My default “forum” type passwords are deliberately crap. They won’t give a clue about my real password set used for important things or 2FA credentials. (2FA using SMS means your phone number must be stored by the provider).

Security is a two-sided proposition between the provider and the user. The user operates at their own risk, based on their actions. Like many things in life.

I believe it is still behaving as a second factor in your case. The first factor, your application userid and password, are probably being cached for you (or represented by an authorized token) just as they usually are for most apps, from Instagram to Wyze et al.

[Mod Edit]. It has nothing to do with securing the app, it’s about securing an account that may have intimate view of your house.

MOD NOTE: Post edited to conform to the Community Guidelines.

Actually it seems to be more of a feel-good “Do Something” for the developers to forestall complaints from people who use the same password on multiple sites when one of those other sites is compromised and then whoever compromised the other site somehow guesses that one of the thousands of credentials they downloaded just might randomly work on Wyze.

2FA is already available for anyone who thinks they need it. This entire firestorm is about Wyze announcing that they are about to force everyone to use 2FA regardless of need or desire.


Hmm. If you’re securing an account that has intimate access to your house, you may want to rethink the strategy of using $30 WiFi cams.

These cams are very low value hacking targets; almost zero. @t.currie has it right. It’s a feel-good move to say you did something to protect idiots from themselves. If we take the email at face value, and I have no reason not to, we’re trying to fix users who either use Password123 as their password or reuse the same login for multiple sites. I literally knew a guy who was using his banking password on a chat site. Yep, sure, why not? And many “support calls” from a panicked user “somebody hacked my account and changed stuff”. Uh-oh, “I show you were on from your phone last Friday and made changes?” Silence. “ok, have a nice day!”

It’s easy to secure an app, even the website, without 2FA. Heck, easy to do without a password even. The pwd really only protects against unauthorized access to your device; which 2FA doesn’t do at all. @t.currie is also right, you give the option and then let the adults make their own decision.

Account security is like wearing a condom. There are times it’s perfectly ok not to use one, times when there may be a slight risk of an inconvenience, and times when not using one will cause a major life-changing effect with long term financial and lifestyle issues. Years ago I dropped a browser that the authors decided they needed to protect users from themselves. Except it also blocked me from doing what I needed to do without options. Let me decide.

1 Like

I am of the mindset that idiots need to be protected from themselves because in turn, their idiocy may someday turn out to affect me. I say yay to 2FA. It’s just another 2FA added to the list of other 2FA enabled sites. At least people can keep their dumb and easy to use passwords! It’s better than no 2FA and a complex password, IMO.

It’s not hard.

Sorry @Mods , I got a little spicy there.

:smiley: I’m on Quora occasionally, That’s “spicy” or it’s amazing what doesn’t violate their BNBR.

I don’t really have an issue with it in the app as explained somewhere in this chain; use 2FA once in the app and leave me alone for a long time.

It could make a difference here, where I get an email from the forum and depending on which computer/browser/settings I’m using, it may require a re-login. I might file it in the I’ll get back to it later (which often means never :laughing: category)

The other issue JeFizz is you can’t protect most of the idiots.

Quick example. Go to www.wysecam.com Ok, need username and password. Oops, MFA needed, we sent you a code via your registered text/email. Enter it here… Press submit.

You just got phished and lost access to your account. And used the wyze server to do it. Just that easy

Edit: I was going to give points if you could answer as to why the above is true, but I’m hoping with this group, you would all get it right :slight_smile:


On Quora, who you are is the primary factor in BNBR; who happens to feel like playing “moderator” is the second factor; what you actually wrote comes in not higher than tenth on the list.

1 Like

I have tried using 2 factor in the past and stopped using it because it made using TinyCam Pro painfully annoying. Having to constantly re-authorize each camera made the app useless and without TinyCam Pro the Wyze cameras are not very appealing. The web interface is inconsistent and the Android app has a poorly designed multiple camera view. Until those 2 interfaces are fixed forcing people to use 2 factor will cripple 3rd party applications unless they institute some sort of one time authentication from an unrecognized device.

1 Like

Think of 2FA as locking your car door in a bad neighborhood, as the internet is now a bad neighborhood. Once bad actors are in your car, they can drive to your home and open the garage door. Similarly, if the Wyze app is hacked and replaced with malware, they can use your credential to access the Wyze cloud thus impacting other customers. Do you want a camera app to broadcast your video to the world or not ?