Completely agree. SMS is only a short term solution with known vulnerabilities. It would be better to develop 2FA with authenticator app support from the start with eyes on long term support for the standard. Also, and I might be wrong, but I’m pretty sure that 2FA through authenticator apps would have lower running costs than having to maintain a service to send SMS tokens to customers.
Personally, I think the fear of using SMS is overblown. The first vulnerability (SIM swap) would be readily detected because your own phone would stop working on your number. The 2nd vulnerability (SMS intercept) would really depend on a very knowledgeable hacker targeting you specifically. For something like cameras, I’m just not worried about this. Having SMS 2FA in place would be so much better than nothing and make it likely that any hacker will pursue and easier target.
The article itself even says:
Remember, using two-factor authentication via SMS is better than leaving 2FA disabled. And it’s probably unlikely that you will become a victim.
I’ve read numerous similar articles warning about the inherent insecurity of SMS and TOTP two-factor authentication, and it all comes down to how much effort is required on the attacker’s part.
With SMS an attacker just needs access to SS7 which can be accessed through a subscription service. Very low effort.
With TOTP an attacker would have to compromise the databases of the 2FA provider which is fairly high effort.
With U2F an attacker needs to steal your physical U2F key, which could be either high or low effort depending on how well you guard your possessions.
Thus my opinion that SMS is better than nothing, TOTP is preferred. I don’t have a device capable of using U2F so that’s off the table for me.
No argument from me… I voted for SMS so I’m in agreement with you @Loki.
I always use SMS vs nothing if it’s available… in fact, I prefer SMS over 3rd party apps requiring invasive permissions to my devices (not starting a debate - it’s my preference). Yes, yes… I do wear my tin-foil hat when needed
As the articles indicate… there are pros/cons to all methods. I posted them so less tech-savvy members could get more information without having to ask.
Biometric is serving a different purpose. It is protecting access to the mobile app on your existing phone. It would not protect someone from accessing your account from another device.
We are looking at 2FA to protect from someone connecting to your account with your credentials from another device.
Good point. And for the biometric aspect, there’s a separate Roadmap topic for that:
Physical Security Key - Yubikey or Google Security Key would be awesome. This data is highly private and that is the most secure mechanism known to date.
No account lockout is enabled for the app or online login! There is also no 2 factor authentication! The account logins can be bypassed with a dictionary hack. All you need is a target email address which is publicly available information. This needs to be addressed immediately before someone’s live feed is actually hacked. Account lockout and 2FA are minimum cybersecurity requirements in most industries.
@ryan1 For the benefit of the devs considering this, could you explain in more detail what you mean by account lockout, how it would work, etc?
Account lockout occurs after 3 unsuccessful login attempts to the app or website. Without account lockout a hacker can just run a dictionary hack on any account they want. A dictionary hack tries every single account password possibility given a set of parameters. Account lockout prevents these hacks by locking an account after just 3 tries. Without it enabled a hacker just runs a dictionary hack and it is all automated. Account penetration is gauranteed in just a matter of time, depending on the password complexity. With today’s cpu and gpu processing power an 8 character password can be solved in 24 hours. I am a cybersecurity professional and a dictionary hack can be ran by anyone. It is one of the first methods tested in ethical hacking/penetration testing. Also to the comments on sms 2fa, sms 2fa is WAY more secure than nothing. I would recommend implementing it now. Wyze can always get more robust later. It is never a question if something can be hacked, it is always a question of making it too difficult for the reward of penetration to pay off.
I prefer Authy because it provides standard TOTP with some user-friendliness enhancements on top. Google Authenticator is just standard TOTP with no additions which is just as good security-wise, but Authy adds some handy user-centric things like cross device sync/backup, integrator-optional push notifications to respond to more easily than going through the whole ceremony by hand, etc.
SMS-based 2FA is insecure as well as error-prone so I don’t see any point in adding it. IMHO it introduces more problems than it solves, including promoting a false sense of security confidence among users, and creating room for serious security errors in the development process. 2FA verification is very frequently used as an account lockout recovery option in lieu of email confirmation. Making it possible via SMS makes account hijacking easier than stealing a password. Of course it takes a little money/effort to do so it’s not likely to be a widespread problem, but I’m not interested in security products that only care about protecting “most” users.
P.S. - I actually prefer U2F wherever possible but due to the cost of adoption I’d rather see TOTP implemented first, with U2F added as an enhanced option for the users who have the appropriate hardware.
While any type of 2FA would be fine, Okta integration would be awesome, though I understand for this type of device less people would have Okta than something like google authenticator, or just SMS text.
Are there any talks of a possible two step authentication when login into the camera app ? my concern is hackers… a lot of websites and apps currently allow me to send a text message to my phone with a verification code before i am able to see my information, is there a way to do the same with wyze cam ?
Please see this:
I use DUO mobile for many websites. These cameras definitely need 2 factor authentication or the company will be in trouble as it grows.
Saml auth would be great too. That way we could use azure ad or google auth to secure the login with 2 factor.
Dear Wyze Support, Recently Nest Consumers reported Securiry Breaches of recording from their Cameras. And Nest sent out an email to customers advising them to implement 2-step Authentication, so that no unauthorized users gain access.
So, As being Wyzecam Customer, I don’t see Wyze has no option of 2-step Authentication for the Wyzecam Accounts. I request you to please implement this Security feature as soon as possible for better Wyzecam Account Security.
Thanks - Vijay
@WyzeGwendolyn Is this feature under serious consideration by Wyze management? If so when can its release be expected?
The tag on this topic says “in-development”, which means Wyze is working on it. When that tag changes to “testing”, then it will be that much closer for release to public. I haven’t heard of a timeline on this feature, yet. I too, would like to see this implemented.
DreadPirateRush is correct! We are working on it. I’m not sure when it will be ready yet but we are making progress.