We understand Wyze takes our privacy very seriously and appreciate the detail that has been layed out already on how our camera are setup on the back-end. To further secure this from potentially weak/compromised passwords we need optional 2fa. (Preferably with an app vs. just sms). This additional layer will help keep us all feeling more safe and keep our cameras private and Wyze out of the headlines. Thank you for addressing.
Moderator Edit: 02/22 - We have completed the requirements and will be working on an SMS authentication during the first release. We are aiming to launch this on next 2-3 versions.
Moderator Edit: Hereās the work-in-progress requirements for 2FA based on feedback that weāve seen here and on the forums. Feel free to add comments so we can consider your thoughts.
Moderator Edit: Do you use two-factor authentication where you are asked additional verification code as an added layer of security? If yes, which one do you prefer the most and why? Leave in comments below.
On login attempt on any device (computer or app on the phone) when that device has not already successfully passed 2FA. If a device has already passed 2FA, then re-doing the authentication would not be required. There would need to be a page in the user account settings where all previously authorized devices could be reset (either individually or en-mass).
Hey. Thanks for the quick response. Taking a step back to think about this holistically, in order to have Wyze be āindustry-leadingā in terms of privacy Iād propose considering the following:
āBasicā email confirmation when installing Wyze on a second device. Basically, when setting up Wyze the first time, this device is ārememberedā and linked to the users wyze account. If the user attempts to access their Wyze feed on a different device, they would get an email with a one time code to āactivateā and remember the new device. This would then be saved. (Similar to the second factor confirmation used by banks/websites although by device vs cookies) This would help if a users password is compromised and would not sacrifice much user experience as people are used to this
Building on this, within the user account, list out which devices are authorized to access the account and build in the ability to revoke a device. This would help provide transparency of an inappropriate device was added and so the user could disable it and change their password)
within the app itself have an āadvanced security sectionā where the user can āopt inā to leveraging the phoneās apple touch ID / Android finger printscan each time the user logs in to confirm their identity (this would protect against the phone getting stolen and the Wyze password ārememberedā on the phone
for those truly paranoid, creating a 2fa challenge question I could see this as another advanced option to your point when the account is accessed primarily for outside of an āauthorizedā app (e.g. especially if you decide to enable accessing a feed outside the app) Iād say the one time email confirmation / remembered browser would be an okay approach but a better approach would be a full timed token (e.g. authy / Google authenticor) code where the user specifies when they need to enter (e.g. Everytime or just in replacement of the email confirmation mentioned above for new devices)
Hope this helps. I know itās much easier said than done but I truly believe due to the sensitive nature of where your cameras are place (e.g. bedrooms) this is needed. Paired with users having bad passwords and reusing passwords this would go far. Let me know if you want more feedback or have alternative solutions. Thank you!!
Thank you! This is inline with what I was assuming but it is nice to have confirmation. I had seen some requests for redoing an authentication each time the app was being launched on the device and that seemed overkill to me for a camera application.
Having said that I can see how a FaceId/TouchId/PinCode could be enabled for the application for the ātruly paranoidā of us!
The securing of the mobile application is probably the easiest to create. 2FA on the other hand will need some engineering time to figure out the number of systems impacted and the design to enable that type of feature.
Thanks Frederik. The ability to face/touch/pin ID the app would be good. But I think the bigger concern here is leaked account credentials. In that event, securing the app itself doesnāt help since the bad actor would presumably use your credentials on their own device. However, I understand that 2FA is the more difficult aspect to implement.
Agree. I was just trying to say that securing the app with the FaceId/TouchId/Pin is an easier more reachable task in the short term. The 2FA access will take some time because the solution will have to span through not only Android, iOS for the mobile app but also our web infrastructure and potentially also the forums.
This is not an easy solution and it will need some engineering time and some coordination for the launch.
I also understand that the primary request is 2FA, not the application securing.
Thanks Fredrick. Iām in agreement with Rick. I agree with the shorter term plan and acknowledge the larger (and harder) goal of 2fa across the infrastructure. Please keep us in the loop on progress of both. These are tablestakes of protecting privacy for IOT.
Seriously, Wyzeā¦ this should be topmost in priority, in my opinion, and hereās why:
IOT is a target in general, and a camera is a sweet target. If you guys get hacked, your credibility goes down the toilet permanently, and your sales will follow. A hack will do irreparable harm to your companyās reputation.
Security first, features second. Features are worthless without security.
Itās simply good business sense to protect your reputation and your customer first.
