What the heck!
How will this affect tinycam app access to my cameras?
No way.
I do NOT want to use Two-Factor. I don’t care.
3 Likes
I wonder if this will break the Wyze skill for Alexa also.
Hey, Wyze, DO NOT implement this on users. I have a complex password that I only use for Wyze. If you do this you will break Tinycam access, and possibly other things.
Don’t.
Can we have a Wyze person whose fault this is to chime in?
2 Likes
Per your support article, regarding changing email address:
- Temporarily lose access to your Wyze Services such as Cam Plus or Wyze Home Monitoring, and your order history.
Define “temporarily”?
2 Likes
Sounds like Wyze has been sued or is about to be sued for something.
2FA isn’t going to help.
Ohhhh, this is new! I just got a Wyze “security” email informing me I’ve just logged into my account. I feel so safe now.
1 Like
Don’t panic guys. From the E-Mail:
If you feel strongly about leaving your account unprotected, you can disable 2FA in your account settings after it has been turned on.
3 Likes
Yeah, but I have a feeling that once they turn it on for everyone it will break something like Tinycam even if you can turn it off again.
Really would like someone from Wyze to clarify, one way or the other.
2 Likes
I’m getting these now also.
Someone from Wyze: Can these emails be turned off?
If not I’m going to create a rule on my email server that immediately deletes them if the subject line, from address, and part of the (my) IP address in the text of the email is a match.
More crap to manage.
Edit. A rule works.
1 Like
I seem to remember that TinyCam supports Wyze 2FA.
1 Like
Just an FYI, I have 2FA and use Alexa. It has not affected the skill at all.
Worse case, you may have to relink the account.
2 Likes
Question, are you logging out of the app nightly or something? Unless I logout, I don’t get these emails until I log on to another device.
1 Like
You are correct. TinyCam does support 2FA so there should be no issue.
I used to use TinyCam with 2FA all the time
1 Like
Actually, the emails are being generated logging into anything at wyze.com with a browser, For example, to log in to the Wyze forums here.
FWIW, my browser (Brave) is set to clear all site data when I close a site and/or close the browser. As a general rule I don’t keep cookies on my devices, and don’t need to be “remembered”.
IMO, Wyze has jumped the shark with security theater.
Thanks, was curious on what was different. I let is save the Wyze Cookies and not remove those. I do clear most other data. By doing this, I am not presented with a logon process
1 Like
From what I can tell, the services/subscriptions are linked by the email address as the private key in the database tables. I believe when someone changes their email address, Wyze has to create a new services account and copy the account details to the new email address. I believe this is done by a script. I think some people have had this happen really quickly (within a few minutes). My guess is that it happens no later than overnight as they have their system run scans during downtime like they do for people who upgrade from a single yearly Cam Plus subscription to yearly Cam Unlimited (I believe a script runs at night to cancel the single license and extend the expiration date to ensure people get their money’s worth from the upgrade). I suspect it’s something similar for email changes involving subscriptions.
I think it’s just the increased credential stuffing attacks happening. I see posts in various platforms including Reddit groups, Discord, Twitter, TikTok where people keep recycling credentials and another website/app ends up getting hacked and leaking usernames/passwords, and because they reuse the same credentials here too, when some credential stuffer runs their leaked email/password through Wyze, they inevitably find some accounts using recycled credentials. Now they log into these innocent peoples’ cameras and record themselves harassing these innocent victims in various ways and post it publicly for various reasons (maybe attention, maybe from an act of vengeance against Wyze, etc). In some cases, the victim might even try to blame Wyze when they’re the ones who recycled their credentials and also left them the same when they leaked from other sites.
2FA DOES totally help with this. With 2FA turned on, if someone recycles their credentials (which people keep doing), credential stuffers can’t log into their account. It will make credential stuffers generally give up on credential-stuffing script attacks against Wyze and go look at doing it to other businesses instead. This will also SIGNIFICANTLY reduce the strain on Wyze servers and security resources.
Credential stuffing attacks are ridiculously easily prevented, but people still recycle credentials out of laziness. This is the easiest solution, and while there may be a little fall-out from people upset that they have to manually opt back out of it, I am sure the overall benefits to them FAR outweigh the negatives they’re going to get from this, particularly since they can just tell the small percentage who vehemently hate the idea of 2FA, that they can just go turn it off again…but they’ll still have gotten 99% of people to use it, and made it not worth credential stuffers’ time to target Wyze instead of another place with a higher rate of success due to no 2FA involved.
So no, I am confident it’s not about a lawsuit. It’s more likely about reducing bad PR from credential-stuffing attacks. There are too many posts from Credential stuffers bragging they can log in to people’s accounts, and too many Credential stuffing Victims that will blame the company when it is totally their fault, or people who read about the incident that panic and think it was Wyze’s fault in some way. Some of them will only hear or remember that “someone got hacked on Wyze again” and not even understand that it’s not Wyze’s fault and that it doesn’t mean their account is at risk (unless they’re also using the same email/password on multiple sites too). Forcing 2FA will definitely help with credential-stuffing secondary PR fallout issues.
As for 3rd party effects of 2FA, as mentioned by others, I can confirm that Tiny Cam supports 2FA. I enabled 2FA over a year ago, and it was a lot more smooth than I thought. Everything still works, including all my 3rd party stuff like Tiny Cam, Home Assistant Wyze integration, Docker Wyze Bridge, Alexa, Google, etc. I only had to enter the 2FA code for Tiny Cam once and never have again. Similarly, It never affects my Wyze app usage. It remembers my device.
I had all of the above worries because when Wyze first developed 2FA a few years ago, I tried it and it caused all sorts of problems. I didn’t like it at all, so I opted back out. So now I was scared to use it again but I was surprised, it’s honestly really been smooth sailing and worked perfectly since I added it last year.
As pointed out above, you can still opt back out if you really want to, but after using this for a year now, I love it and will keep it from now on. It’s not been a bother at all or interfered with any of the things I use (and I use A LOT of 3rd party stuff). So if that is your fear, it doesn’t need to be. You’ll likely have to log back in once you activate it, and even Tiny Cam should prompt you for it. I remember it went pretty easily for me when I turned it on.
I think it’s pretty straightforward, if you really don’t want it, then as soon as it turns on for everyone that day, log in and go turn it back off.
But seriously, it works really well now. I have gone a year on some of these apps/devices without ever having to log in again after the first time, including all my 3rd party access I use. It is no bother to me. I’ve been rather impressed compared to when I tried it when it first launched years earlier.
4 Likes
Wow. That was lengthy.
" I have gone a year on some of these apps/devices without ever having to log in again after the first time,"
Does that go for live view also? I disabled 2FA because it is a pain, logging in 10 times a day.
1 Like
Double Wow. This is a lengthy defense of Wyze and 2FA. I appreciate it. You’re certainly not one of those lazy people. I understand all that. Unfortunately, the 2FA “solution” is just another attempt to compensate for the societal stupidity, laziness and irresponsibility of the few which burdens the many.
1 Like
This might be the most pointless post ever. I did not ask for your suppositions, beliefs, thoughts, or guesses.
I asked Wyze to define “temporarily” as noted in their official documentation.
If you do not have an answer, do not reply.
He really likes to hear himself type.