I would certainly second this comment. With IoT devices, security must come first. I get all the pump about new products and new integrations (to be fair, I am one of those enthusiasts always looking for new products) but those should take a backseat while security must lead the way. It is a terrifying thing to think when we all have so many cameras around. Watching as Wyze respond to this incident.
Allow 2FA with Yubico
Unfortunately many cell phone do not support NFC. But my next cell phone will have NFC.
Upvoting this so we will have 2FA for Philippine Wyze Cam users.
I am using Wyze Cams in the Philippines and having read the recent news about a possible hack on Wyze Security Systems, I checked whether I have already activated Two-Factor Authentication (2FA) for our installed Wyze security devices. I learned that I cannot input and use a Mobile Number outside the country of USA thus cannot activate the important 2FA feature.
Wyze says they just target the USA market for their product distribution. But Wyze Cams are also for sale internationally and are available in online storefronts like Amazon. Thus, it is unreasonable to exempt countries outside USA from having important security features such as 2FA. Besides, the non-inclusion of a basic security feature included in most modern and professional online systems goes to show that the Wyze software is half-baked and are NOT ready for prime time use. I would not have bought and used Wyze products if I’ve known about this beforehand. It is alarming to learn that our home’s security system is not actually that secure.
Kindly include 2FA for countries outside USA (especially for Philippine users) as it would help increase the customer/user’s peace-of-mind. Instead of using SMS for 2FA, I suggest simply using Google Authenticator as it is more flexible and easier to use in my opinion.
Wyze’s authorized resellers only sell to the US. Non-US Amazon storefronts are not authorized resellers. (Even in the US, third-party Amazon sellers aren’t authorized) Wyze doesn’t have any control over this, unfortunately. It’s easy to import products over the internet, so it’s impossible to stop people from doing it. But it’s not part of their business plan at this point, and they don’t offer international support.
Wyze isn’t a home security system.
32 posts were split to a new topic: Security system or not?
I have split the whole discussion of security system or not to a new topic as it is off topic for this wishlist thread. Feel free to continue the discussion over there. This is a topic that tends to get heated. Please keep it civil.
Furthermore, authentication app like Google Authenticator will enable international users to use 2FA - which is extremely important. While you don’t offer official support for international users, please do bare in mind that we do exist, love the product and this is the only main feature missing for us to recommend it to friends
Supporting any of these authenticator apps would actually give support for all 3, as the authentication method is based on the same standard.
Reposting from original discussion on 2FA implementation. Note that 69% of the shown votes were for Authy & Google Authenticator, which are compatible products. Only 22% were for SMS:
Regarding your poll, and data in your spec document, a little flawed for data collection. Google Authenticator, Lastpass Authenticator and Authy use similar enrollment methods. Yes, you can integrate with some to push approvals to the device, but all support the same QR code based enrollment to deliver a rolling code back to you.
Better to skip SMS / Email notifications, unless you are looking for a simple checkbox to say you have the feature. They are both clunky, and SMS is insecure. Industry is moving toward token / app code based authentication for a reason. Any way you look at it, placing it as a tier 3 priority is a miscategorization in my opinion.
Honestly, I have to agree with rbruceporter here, the products are being sold outside us no matter what wyze intentions are, there are no good reasons to use sms 2fa over app 2fa. And do you seriously belive that when videos from hacked wyze cam photage starts (maby) someday leaking onto the Internet that the press/public opinion gives a sh** about the product is only supported in US reason for their product not being secure, I can guarantee you not.
Let’s consider another example. Huawei is a giant company. They’re one of the largest smartphone manufacturers in the world. But they don’t sell phones in the US at all. None of the US carriers sell them, and they’re not available in US stores.
I’m an American. If I want to get my hands on a Huawei phone, it’s not very difficult. I can even get one on Amazon, with Prime shipping. I can jump through hoops to get it working on my American cellular network. But I wouldn’t be shocked at all if it certain features are handicapped. I also wouldn’t expect Huawei to expend much effort making sure I have full access to its features, since they don’t serve my market in the first place.
In Wyze’s case, they may also be exposing themselves to EU regulatory issues if they make concerted efforts to cater to international customers.
I have to say that the two excuses about “Wyze not being a security system” and “not officially old outside the US” is getting a bit old. It is marketed in a way that suggests its aimed at security and the fact is that this is ultimately what it is being used for regardless. Implementing 2FA via authenticator apps (Authy, Google, LastPass - they’re all use same universal standard) is best practice. Not only is it more secure and more universally supported, it is also the method preferred by polled users prior to introduction of 2FA. It is my hope that Wyze will work on supporting app-based 2FA to ensure peace of mind for all users, regardless of their use case or location.
We’ve got a discussion going in another thread about this topic. But I don’t think I agree re: the way it’s marketed. You can see my reply to a similar comment below:
As for not officially being sold outside of the US, I don’t know everything that goes into those decisions. I know they’ve said they’d like to do that long-term, but that may be a bigger undertaking than you might think. If they cater to non-US customers too much, particularly EU residents, I think they may risk opening up a whole regulatory can of worms they’re not ready for yet.
As for app-based 2FA, they actually just addressed it in the latest update on the security leak thread:
They have said they will be looking into it, if you look at the update from 12/30. I believe the ‘excuse’ that it is not a security system is valid. There are many things keeping it from being one, granted that does not stop people from using it as one. Also valid is the ‘excuse’ that they are not sold outside the US, as WYZE has tried to stop Amazon from selling them outside but they have not complied. Therefore the ‘excuses’ are valid, however I commend WYZE for realizing the need for international security and looking into it now.
Two things in light of recent breach:
Wyze is handling the situation pretty good so far, at least transparency is a good start.
Security now needs to be a priority. Fix 2FA for ALL users!!! Beyond stupid to design security features for U.S. customers only when product is available internationally (via Amazon). Fix ASAP and make adequate design decisions!
My vote for this functionality ASAP. I do not want to use SMS messages or email for 2FA!
Yes for 2FA with Google authenticator Similar. No SMS authenticator.
Currently use Duo and Okta Verify, but Google Authenticator would work.
SMS Based 2FA although is a better option then nothing, it still isn’t the best option for 2FA. About a year ago it was exposed that Chinese hackers were able to convince some cell providers that they were the customer and would have a new SIM issued to them or in some cases they got a hacked SIM that would receive texts and calls along with the victim, so the victim never knew. In those cases the hackers would now have access to SMS 2FA codes sent to them, if they tried to reset a password.
Having an app based 2FA is the most secure way to ensure that nothing will happen. App based 2FA can run with apps such as Authy, Lass Pass Authenticator, Google Authenticator, and Microsoft Authenticator, just to name a few.
If you are for customer privacy and security, please consider adding app based 2FA as an option for those who want to be the most secure.
I want to turn on 2FA and I know you’ve enabled it, but you know that SMS authentication is inherently insecure. Please implement app-based 2FA as soon as possible. This shouldn’t be a “wishlist” item.
here’s further discussion on the topic: