2FA=NFW Really?

Mike, this is your first Topic EVER. Wyze 2FA has flushed you out (so to speak!) :wink:

They usually only care when they see dollars disappear from the bottom line. I can tell you that when we’ve even suggested something as minimal as requiring VPN access to their home control systems that the end-users got pissed off and demanded we provide access without the need for them to connect their phone to a VPN.

2 Likes

I understand what you are saying.

All I am trying to do is ensure individuals understands the experience and not assume it is on each camera and when you live stream you have to enter 2FA all the time, cause you don’t.

But I get your point. Thanks for clarifying

4 Likes

Yep peep, I don’t usually start issues, just chime in after :laughing:

1 Like

Then maybe someone should tell Wyse that – because since yesterday Wyse has been telling us that the ARE GOING TO START REQUIRING 2FA.

Nothing about any option, just the flat statement that 2FA would be R-E-Q-U-I-R-E-D

You might believe that 2FA is wonderful and painless. That’s fine if you like it.

You might believe that Wyse isn’t stupid enough to try to require 2FA for everyone. That’s fine too, if you happen to be right, but I haven’t see anyone from Wyse in here denying the notice that they sent out.

Here is a link to what Wyze has put our.

1 Like

New 2FA FAQ have been updated to address customer questions and concerns:

The 2FA Knowledge Article has also been updated.

Security is complicated; there are certainly volumes written about it.
2FA isn’t the magic bullet it was first promoted to be a few years ago. Many early adopters abandoned it after giving it a shot. Not because it didn’t do what it was supposed to, but because it increased the amount of tech support tickets and user complaints, which was really what they were trying to reduce in the first place.
While I’m a bit skeptical of the Wyze statement, I’ll run with it at face value. The first issue is that we, as an industry (Software providers, cart providers, etc.) have tended to move to email as UID. It’s easy and it saves having to remember a user id. The problem is that, for most people, it is a unique identifier akin to your SS number. Bad actors love email logins because they are sooo easy to obtain. You’ll probably notice that most secure logins like banks, insurance, medical, sensitive government sites still use a user ID rather than email. That’s because phishing a user id takes a pretty concerted effort vs email addresses that are widely available on the dark web.
The second problem, which Wyze does mention in their email, is reusing passwords. Reusing a pwd with an email login is a thieves’ dream. Virtually no effort to run it against tens of thousands of sites using a bot. Another issue with that is short limits on password lengths; I’m amazed at how many still have things like 8-16 characters.

A strict 2FA policy requires it each time you access the site. It’s a PITA for the user but there are sites that require that level of security. Anything shy of that means you are either leaving an app logged in or storing cookies on your device. (There are other ways of doing it, but they open up another can of worms). It works, but it depends on how well it is done and on user’s individual security settings. Not a great idea to have it say, on your office computer that you leave logged in whether you are there or not, which is another security risk.

Why am I a bit skeptical? “too many reports lately of login credentials stolen” For several reasons I won’t go into, Wyze isn’t exactly a “high value target”. Too little to gain for the work involved. “Too many” is concerning, as frankly, I’m concerned that the issue may be deeper though it could be due to an extraordinarily high number of lame users. Still concerning.

1 Like

Trust me, I have read complaints and I understand. However, something is better than nothing. Wyze is doing what it can to try and secure the environment.

It really is not a huge undertaking to turn it on.

I think you can type your new number into box. I got the the 2FA popup yesterday on my phone when I opened the app. I went ahead with it and was done in no time. The code also went to my phone almost instantly.
I went to the site to read about it and they said if your email changed just be sure to update it in your account. I remember my phone number was there and I’m pretty sure it gave me the chance to change it. I didn’t take a screenshot though.

Also, they said that the 2FA will only be used on devices other than the website.

This got updated in the new Knowledge Article. Logging into your account thru the Website will require 2FA once you have it turned on.

1 Like

For those who would like to watch a YouTube Video on this, here it is - provided by The Net Guy:

3 Likes

Ohhh ok, thanks. Will check it out. I’m wondering why I got the popup on my phone app and many others haven’t.
Update: Ok, I went to the site to log in and it was there. I chose to do it via phone and it took exactly 3 seconds (haha I counted) for it to come in. I logged out and then back in again and didn’t have to do it again.

1 Like

You have 20 years experiance but also failed to think about using a 2fa device like a yubikey, fortitoken or some other external 2fa device.

2fa is a must in this day and age as passwords are so easy to crack now. I see another site almost weekly getting data breaches and the password lists get bigger and bigger.

2fa is good, but I bet most people use their email and have the same password for their email lol

2 Likes

2FA is great for very sensitive accounts but making it mandatory to enable for a Wyze account (even at least once) is just ridiculous. Amazon and Google don’t even make it mandatory.

1 Like

Wait a few years ans everything will br 2fa. We are not far off from passwords being totally useless.

A few GPUs, hashcat some wordlists and rule lists make most passworss useless already. Plus the phishing attempts getting less tech savy people are not as good if they have 2fa at least.

3 Likes

N-O-N-S-E-N-C-E-!

Passwords are only easy to crack on systems where the system administrators choose to make them easy to crack.

The solution is NOT 2FA and the solution is NOT requiring long complex passwords that expect the user to type in the password with their left little toe while patting their head and rubbing their belly.

The solution is two steps, both at the server/administrator end:

  1. Force a short delay after an unsuccessful login and a limit on the number of unsuccessful logins
  2. Stop worrying about trivial systems (such as forums) and idiot users (people who use the same password on more than one non-trivial system).
1 Like

It wouldn’t hurt to add due diligence in protecting password hashes (or even plaintext full passwords!) at the server end along with access to same, because let’s face it, that is almost always what gets compromised.

You can’t protect people from themselves. People will use repeat passwords on multiple . Sites get hacked and the hashes get extracted.

The ONLY thing that saves them at this point is a crazy long complex password that isn’t worth cracking or 2fa. (I highly recommend 1password)

Hackers go for the low hanging fruit. Lock out periods are good to prevent brute force attacks on the site, but not an end all be all.

I honestly think in a few years if these supercomputers and quantum computing keep evolving passwords will be a thing of the past.

As someone who does password audits and an I.T. security professional I can usually crack 1/2 to 3/4 of passwords in a business in a short period. If they use 2fa, those accounts are much more secure. The last one i did I got 1800/3000 in about 2 hours. I could have got more, but that was the low hanging fruit. Also probibly the people that reuse accounts.

There is a reason why domain and system admins use physical 2fa devices these days. You have to be physically at the device for confirmations (yubikey)

This is wyze protecting their users and themselves BEFORE breaking news comes about about cameras being hacked and people getting information stolen or watched. Now that they do security systems and alarms too someone can really get screwed over if their account is compromised.

I think email is not good for 2fa because if someone uses the same password on their email its totally pointless.

2 Likes

Didn’t realize Wyze offered those as an option.

:face_with_raised_eyebrow:

1 Like