I agree, I gave my kids access but they lost it and I need to kick them off my account. How can I do this?
What did they lose?
Change your password. I don’t think it works right away but will eventually.
Short story turned off camera when it wasn’t home and had friends over!
1 Like
This still has not been fixed? I’m frankly disappointed that they have not implemented any sort of security feature that allows this.
If you just change your email address it will log everyone out. If you click on account and then email and hit change email it gives you a warning that it will log everyone out if you change it.
This is absolutely bananas. Not being able to easily invalidate all sessions is, in fact, a huge security flaw.
Saying it’s only a problem if you share your password is absurd— in what universe could anyone assume passwords only get exposed voluntarily? Browsers get compromised, devices get compromised, operating systems get compromized, people get phished, trust gets broken…
It’s a sensitive resource with multiple sessions and long or nonexistent timeout, which is a dumb idea to begin with. Even allowing users to invalidate all sessions when their email address changes is a lame non-solution. How can you confirm it? Does it apply to all versions of the app? Are you sure old versions of the app aren’t using a legacy API to which that doesn’t apply? That users must hunt for workarounds for this base-level security functionality in the first place is beyond daft: it’s irresponsible. Anyone who’s worked with large groups of consumers knows that most users don’t have a bunch of secondary email addresses and most would just shrug their shoulders and move on (while having a compromised security camera) rather than go through the hassle of creating a new one. If you make a security product, it’s not only your job, it’s your moral responsibility to consider these things.
Beyond that, I’ve been a full time software developer working on net-connected services for 11 years and worked in systems administration and upper-level support for 10 years before that. having seen many large-scale authentication systems from big-name vendors right down to roll-your-own solutions, I can definitively say invalidating all sessions should not be a difficult task. The back-end code, including any API changes, database work, and all of that should take at most 3 days for one person— that’s if you triple the amount of time it ‘should’ take for assumed roadblocks. For the front end? Putting a button in someone’s account screen is trivial: even across devices and environments, We’re not talking a about a big UX push, here. Entry on the support site would be about five minutes if needed. It’s intuitive. It’s expected.
People say you can tell how clean a restaurant kitchen is by looking at the bathroom— well that’s also true with features like this. I now have zero faith in the coherence of any other part of their closed-source security infrastructure.
Wish list? If you found out your car’s seatbelts weren’t bolted onto the frame, would you put it on a wish list? No thank you. The entire IoT industry might have come a ways since the days of unupdatable devices running mystery libraries— congrats… you’re no longer distributing a free DDoS tool for criminals. But to make this count for your end users, too, a you need a sane infrastructure and security policy. I should have gone with my gut when I found out how recently they’d implemented 2FA.
Into the trash the camera goes. I wouldn’t give it away for someone to watch their bird feeder with.
1 Like
Please upgrade the change password process to boot out all sessions.
Or also please list all sessions so that certain devices can kicked and forced to login again.
1 Like
FWIW… We’ve only just enacted 2FA on our account and every device (after the device used to enact it) has been logged out and requires a new login. I am certain that there may be cases where this lags at least a bit. I, for one, feel confident that a lag in authentication request will be temporary and innocuous based on network/server conditions. I have been suffering random ‘red lighting’. That may be due to wifi issues in my home, but was still creepy enough that we went to a new random-non sequitur PW and 2 Factor Auth. So far, no further red lights (uninitiated by ourselves) has occurred.
If assumptions bear-this-out over days, it seems that 2FA is a work-around for logging out all OTHER devices.
IT IS INSANE THAT 3 YEARS IN AND WE STILL DON’T HAVE THIS!!!
I got separated a year ago and my spouse STILL has access to my Wyze cam!!
I have removed the camera and disabled my Wyze Plus subscription due to this. I am deeply disappointed by how Wyze treats high-priority issues like this one and how you don’t listen to user feedback for THAT long.
I’m going to leave this review on Amazon, Yelp, Consumer Reports, and Google reviews. The amount of hardship and suffering this has caused me is immense!
Even though there is no way to force logout from all devices, I was under the impression that changing my password would somehow achieve this but NO, Wyze actually use a token to authenticate! Meaning, when a device is once authenticated using username and password, Wyze grants it a “token” that does NOT expire, and it never checks again if the password is still valid. As long as the device has this token, it has access to ALL your cameras.
Plain careless and reckless design. Your services are no longer required Wyze.
@Fly1
I have had the team look into this and we would like you to reset the password with either the iOS or Android app. All other sessions should then expire. If you continue to have problems or have any further questions please contact security@wyze.com.
3 Likes
Log out from all devices option
It would be great if there was an ‘log out from all devices’ option.
[Mod Edit] Merged with an existing wishlist topic. Give it a vote to help it along!
2 Likes
Log out any users on app or devices
Can we get a button to see all devices connected to our account and the option to log them out on the app?
1 Like
Wow. Coming up on 5 years. I forgot I voted for this one.