Just a reminder the 2FA change goes into effect tomorrow morning.
Hello Friend,
We’re reaching out to remind you about a very important change happening as part of our commitment to protect your Wyze account. Tomorrow May 30th, 2024, we’ll be turning on two-factor authentication (2FA) for all Wyze users.
What this means for you:
We recommend setting up 2FA now ahead of the change. If 2FA isn’t enabled by May 30th, 2024, we’ll enable it for you. The default will be for email authentication, but you’ll be able to change it to text (SMS) or app (TOTP) authentication.
What if I don’t have access to the email I signed up with?
If you’re still logged into the app, change your email by following the steps in the support article here. If you can’t log into the app, no worries! You’ll just need to create a new account using an email address and following the steps here.
Why are we making this change?
Password stealing is becoming more common and more sophisticated. 2FA mitigates the risk associated with compromised passwords. This second layer of protection will keep the bad guys from accessing your account.
We made 2FA mandatory for all new users who joined Wyze after December 2022. For users like you who joined Wyze before December 2022, we’ve strongly recommended 2FA with several campaigns, but still see low adoption rates.
Can I disable 2FA?
If you feel strongly about leaving your account unprotected, you can disable 2FA in your account settings after it has been turned on. Please don’t do this, but if you do, make sure you have a very strong password that is not being used for anything else.
Thanks for being a valued part of the Wyze app community!
Honestly, if this is a huge concern, what Wyze can do is update their platform to check every submitted username/password combination in the HIBP service (Have I Been Pwned). If a provided login username/password match that of any known leak, Wyze can simply DENY the user being approved to use that username/password and force them to reset their password to something else.
Basically it would work like this:
Wyze would store passwords securely using a one-way hashing function. This means the original password cannot be retrieved from the hash.
During login, the user-provided password is hashed again and compared with the stored hash.
HIBP integration can happen here. The login system can send the newly generated hash to HIBP to see if it matches a known leak. If it does, Wyze can force them to do a new password that cannot match their previous password(s) or any known to be matching leaked credentials (same username/pw that has been leaked publicly).
That doesn’t solve all credential security issues, of course. There are are plenty of new leaks and always some that aren’t public yet, but it will resolve a large amount of credential stuffing issues.
Maybe Wyze already started doing this. I have been seeing a lot of posts lately where people were denied logging in from the Wyze server saying something “seems suspicious” and in some cases, changing the password resolved it.
I go into the wyze app up to 30 times a day (my wife similar) as we have 5 cameras that are always pinging me re movement. This 2FA will be an absolute pain. I just won’t be able to use it.
Also, Do my approved viewers like my wife also have to use 2FA?
I just turned on 2FA and it went through easily. You are given the option to keep the device logged in for 30 days, so hopefully checking on my various properties won’t be an inconvenience. As said, you can always turn it back off right away. That puts the onus on YOU, and not WYZE for the security of your account.
Only if you don’t have any access to the email your account uses. If the email already listed actually works, then that is where they will send the 2FA codes. If you don’t have access to the email on your account, it would be extremely recommended to change the email anyway so someone else isn’t able to do something with your Wyze account if they are the ones who control that email address now.
I honestly just don’t understand why everyone is requiring this. There are plenty of ways to hijack both a phone number and email address to bypass this and access someone’s account. My dad is 66 and every other week his iPhone says he is logged out of the account and can’t get back in for whatever reason (mostly he forgets the steps). He logs in 100 times a day it seems and now this is just going to make it worse for me to help get him logged back in. Yes …I read you can turn it off but now I have to spend the day sitting it up and then trying to turn it back off IF it works because I am only partially sure that the current account was created before the deadline. It’s a mess and this is what strong password requirement is for. I hate this all the way around on every application ever. I deal with this at work with the 2 factor, code authentication, 30, 60 and 90 day password resets with 100 characters needed. I can’t fathom having to do this every 30 days.
I have had 2FA turned on for a long time now, and I have not needed to log in every 30 days. That might just be for the website, or maybe if you go a month or 2 without ever opening the app, IDK…I just know that my app never logs me out every month.
It’s literally the most annoying. I don’t know why it happens on his iPhone 11. I’ve checked everything and read all the faqs and forums. It also happens to his Nest application where he’s just logged out and has to be logged back in. I’ve turned off anything that restricts background usage or battery life. He logs in daily to check on the dogs at least 1 to 2 times a day so I don’t have any thoughts as to why it logs out. It’s just one more thing I have to fix and 2 factor isn’t always going to work if I’m not at the house to help in person.
Somewhere in the faqs or thus forum for the 2 factor I read something about 30 days verification. I can’t think of where tho.