MOD EDIT: As of 4/24/19, 2FA is now in the app!
MOD EDIT: This is now in early stage testing!
We understand Wyze takes our privacy very seriously and appreciate the detail that has been layed out already on how our camera are setup on the back-end. To further secure this from potentially weak/compromised passwords we need optional 2fa. (Preferably with an app vs. just sms). This additional layer will help keep us all feeling more safe and keep our cameras private and Wyze out of the headlines. Thank you for addressing.
Moderator Edit: 02/22 - We have completed the requirements and will be working on an SMS authentication during the first release. We are aiming to launch this on next 2-3 versions.
Moderator Edit: Here’s the work-in-progress requirements for 2FA based on feedback that we’ve seen here and on the forums. Feel free to add comments so we can consider your thoughts.
Moderator Edit: Do you use two-factor authentication where you are asked additional verification code as an added layer of security? If yes, which one do you prefer the most and why? Leave in comments below.
- Google Authenticator
- Others (leave in comments)
I too feel this is very important to help prevent mischief caused if a member’s password were to be somehow obtained by a bad actor.
Agreed, would feel much safer about using these in the home when this feature gets put in.
Quick question to better understand,where do you see the 2FA challenge to the place? On any login attempt I’m assuming? Not on app launch. Right?
On login attempt on any device (computer or app on the phone) when that device has not already successfully passed 2FA. If a device has already passed 2FA, then re-doing the authentication would not be required. There would need to be a page in the user account settings where all previously authorized devices could be reset (either individually or en-mass).
Hey. Thanks for the quick response. Taking a step back to think about this holistically, in order to have Wyze be “industry-leading” in terms of privacy I’d propose considering the following:
“Basic” email confirmation when installing Wyze on a second device. Basically, when setting up Wyze the first time, this device is “remembered” and linked to the users wyze account. If the user attempts to access their Wyze feed on a different device, they would get an email with a one time code to “activate” and remember the new device. This would then be saved. (Similar to the second factor confirmation used by banks/websites although by device vs cookies) This would help if a users password is compromised and would not sacrifice much user experience as people are used to this
Building on this, within the user account, list out which devices are authorized to access the account and build in the ability to revoke a device. This would help provide transparency of an inappropriate device was added and so the user could disable it and change their password)
within the app itself have an “advanced security section” where the user can “opt in” to leveraging the phone’s apple touch ID / Android finger printscan each time the user logs in to confirm their identity (this would protect against the phone getting stolen and the Wyze password “remembered” on the phone
for those truly paranoid, creating a 2fa challenge question I could see this as another advanced option to your point when the account is accessed primarily for outside of an “authorized” app (e.g. especially if you decide to enable accessing a feed outside the app) I’d say the one time email confirmation / remembered browser would be an okay approach but a better approach would be a full timed token (e.g. authy / Google authenticor) code where the user specifies when they need to enter (e.g. Everytime or just in replacement of the email confirmation mentioned above for new devices)
Hope this helps. I know it’s much easier said than done but I truly believe due to the sensitive nature of where your cameras are place (e.g. bedrooms) this is needed. Paired with users having bad passwords and reusing passwords this would go far. Let me know if you want more feedback or have alternative solutions. Thank you!!
Thank you! This is inline with what I was assuming but it is nice to have confirmation. I had seen some requests for redoing an authentication each time the app was being launched on the device and that seemed overkill to me for a camera application.
Having said that I can see how a FaceId/TouchId/PinCode could be enabled for the application for the “truly paranoid” of us!
The securing of the mobile application is probably the easiest to create. 2FA on the other hand will need some engineering time to figure out the number of systems impacted and the design to enable that type of feature.
Thanks Frederik. The ability to face/touch/pin ID the app would be good. But I think the bigger concern here is leaked account credentials. In that event, securing the app itself doesn’t help since the bad actor would presumably use your credentials on their own device. However, I understand that 2FA is the more difficult aspect to implement.
Agree. I was just trying to say that securing the app with the FaceId/TouchId/Pin is an easier more reachable task in the short term. The 2FA access will take some time because the solution will have to span through not only Android, iOS for the mobile app but also our web infrastructure and potentially also the forums.
This is not an easy solution and it will need some engineering time and some coordination for the launch.
I also understand that the primary request is 2FA, not the application securing.
Thanks Fredrick. I’m in agreement with Rick. I agree with the shorter term plan and acknowledge the larger (and harder) goal of 2fa across the infrastructure. Please keep us in the loop on progress of both. These are tablestakes of protecting privacy for IOT.
Yes… Very Important to also prevent Identity Theft.
Please implement 2-factor! A notification for new logins would be awesome too.
Please don’t make don’t add 2FA for every login/app launch. If you do it please only do it for new devices.
Agree that we need super security with 2FA as a minimum. You don’t want to see me undressed but you don’t know that–yet.
It would be a feature that you have to enable yourself, it wouldn’t be required.
It would prevent a bad actor who obtains your login credentials from viewing your cameras on their copy of the app.
Seriously, Wyze… this should be topmost in priority, in my opinion, and here’s why:
IOT is a target in general, and a camera is a sweet target. If you guys get hacked, your credibility goes down the toilet permanently, and your sales will follow. A hack will do irreparable harm to your company’s reputation.
Security first, features second. Features are worthless without security.
It’s simply good business sense to protect your reputation and your customer first.
Just wanted to put a vote in for token based OTPs vs SMS based OTPs.