Two Factor Authentication (2FA)

@ryan1 For the benefit of the devs considering this, could you explain in more detail what you mean by account lockout, how it would work, etc?

1 Like

Account lockout occurs after 3 unsuccessful login attempts to the app or website. Without account lockout a hacker can just run a dictionary hack on any account they want. A dictionary hack tries every single account password possibility given a set of parameters. Account lockout prevents these hacks by locking an account after just 3 tries. Without it enabled a hacker just runs a dictionary hack and it is all automated. Account penetration is gauranteed in just a matter of time, depending on the password complexity. With today’s cpu and gpu processing power an 8 character password can be solved in 24 hours. I am a cybersecurity professional and a dictionary hack can be ran by anyone. It is one of the first methods tested in ethical hacking/penetration testing. Also to the comments on sms 2fa, sms 2fa is WAY more secure than nothing. I would recommend implementing it now. Wyze can always get more robust later. It is never a question if something can be hacked, it is always a question of making it too difficult for the reward of penetration to pay off.

5 Likes

I prefer Authy because it provides standard TOTP with some user-friendliness enhancements on top. Google Authenticator is just standard TOTP with no additions which is just as good security-wise, but Authy adds some handy user-centric things like cross device sync/backup, integrator-optional push notifications to respond to more easily than going through the whole ceremony by hand, etc.

SMS-based 2FA is insecure as well as error-prone so I don’t see any point in adding it. IMHO it introduces more problems than it solves, including promoting a false sense of security confidence among users, and creating room for serious security errors in the development process. 2FA verification is very frequently used as an account lockout recovery option in lieu of email confirmation. Making it possible via SMS makes account hijacking easier than stealing a password. Of course it takes a little money/effort to do so it’s not likely to be a widespread problem, but I’m not interested in security products that only care about protecting “most” users.

P.S. - I actually prefer U2F wherever possible but due to the cost of adoption I’d rather see TOTP implemented first, with U2F added as an enhanced option for the users who have the appropriate hardware.

2 Likes

While any type of 2FA would be fine, Okta integration would be awesome, though I understand for this type of device less people would have Okta than something like google authenticator, or just SMS text.

Are there any talks of a possible two step authentication when login into the camera app ? my concern is hackers… a lot of websites and apps currently allow me to send a text message to my phone with a verification code before i am able to see my information, is there a way to do the same with wyze cam ?

Please see this:

I use DUO mobile for many websites. These cameras definitely need 2 factor authentication or the company will be in trouble as it grows.

Saml auth would be great too. That way we could use azure ad or google auth to secure the login with 2 factor.

Dear Wyze Support, Recently Nest Consumers reported Securiry Breaches of recording from their Cameras. And Nest sent out an email to customers advising them to implement 2-step Authentication, so that no unauthorized users gain access.

So, As being Wyzecam Customer, I don’t see Wyze has no option of 2-step Authentication for the Wyzecam Accounts. I request you to please implement this Security feature as soon as possible for better Wyzecam Account Security.

Thanks - Vijay

1 Like

@UserCustomerGwen Is this feature under serious consideration by Wyze management? If so when can its release be expected?

2 Likes

The tag on this topic says “in-development”, which means Wyze is working on it. When that tag changes to “testing”, then it will be that much closer for release to public. I haven’t heard of a timeline on this feature, yet. I too, would like to see this implemented. :slight_smile:

2 Likes

DreadPirateRush is correct! We are working on it. I’m not sure when it will be ready yet but we are making progress. :slight_smile:

3 Likes

Thanks, right under my nose!

1 Like

Early stages of design and workflow. During the first release, SMS will be used as this is one of the most requested methods. We will evaluate other methods in the future.

6 Likes

Looking good @CaptainMark! Thanks for all the effort you guys are putting in. If possible, please make sure the SMS 2FA you’re implementing can support international numbers. I’m based in South Africa and currently exclusively using imported Wyze Cams. I’d hate to miss out on 2FA even though I understand the cameras are not officially supported outside the States.

1 Like

Checking the associated cost with supporting international numbers, but the current plan is just with US. Will give an update after we have the discussion with dev team

1 Like

Ok looks like we can only handle US and Canada. Do you use Authy or Google Auth? That can serve the need in place of international numbers

4 Likes

Thanks for checking @CaptainMark. I originally voted for Authy (or Google Auth) as they are not region specific. The only difference I can see with using an authenticator app instead of SMS is the backup method would have to be something other than a phone number in the case of international numbers (perhaps email since your SMS provider only supports the USA and Canada). An authenticator app would be my preferred method for 2FA as it also has many security advantages over SMS. I don’t know if your roadmap includes authenticator app support for initial 2FA release?

2 Likes

@CaptainMark posted this yesterday. So yes, it’s being considered for future, but not in first release.

1 Like

Another vote for Duo Mobile (I also use the one built into 1Password). Why tie it to a particular app? If you follow the TOTP RFC (6238) then any of the authenticator apps would work.

2 Likes