Ring with MFA

[BBEHannes]

Since enabling MFA every couple of days I am getting MFA requests out of the blue and the homey Ring app loses connection. Any testing has been done in combination with MFA on Ring?

Thanks!

[mruiter]

mfa does not work with the app.

you will have to disable it . its bullshit 2 so dont use it 😂

Verstuurd vanaf mijn iPad

Op 20 dec. 2019 om 14:42 heeft BBEHannes notifications@github.com het volgende geschreven:

 Since enabling MFA every couple of days I am getting MFA requests out of the blue and the homey Ring app loses connection. Any testing has been done in combination with MFA on Ring?

Thanks!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[BBEHannes]

MFA bullshit :)? Nuff said

[mruiter]

It’s the same code so doesn’t bring extra security . Only when it’s random token based .

Either disable it or don’t use the app . Mfa with static code that can also be intercepted is bullshit indeed

Verstuurd vanaf mijn iPhone

Op 20 dec. 2019 om 15:05 heeft BBEHannes notifications@github.com het volgende geschreven:

 MFA bullshit :)? Nuff said

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[Fire69]

Either disable it or don’t use the app .

Wow... Maybe you should let Dennie decide if he wants to implement this? By the way, what static code are you talking about?

I enabled it too and the app isn't working anymore. I would very much appreciate it if Dennie would have a look to see if it's possible to implement this.

[mruiter]

Ofc he can decide , also said a few times in older issues just disable it so I guess that’s a bit of an answer on that.

The api is closed and secret / not shared by ring . So if they don’t give access to it how would you suppose to implement the unknown .., we could go to church on Sunday’s an pray 😂

Verstuurd vanaf mijn iPhone

Op 20 dec. 2019 om 21:30 heeft Fire69 notifications@github.com het volgende geschreven:

 Either disable it or don’t use the app .

Wow... Maybe you should let Dennie decide if he wants to implement this?

By the way, that static code are you talking about?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[mruiter]

on the static code part . It’s just a long lasting token . So it doesn’t bring much .

The api has also been decode for a bit the last month (at least I saw some code pass) guess ring will soon change the code base on mfa again since it’s secret and they don’t want it out in the open.

You as a user should just not reuse passwords and have one on ring that isn’t reused on anything else . Then there is not need to have the extra static token .

Real mfa is dynamic and token based that’s just valid for a short time . Ring MFA is for the stupid that reuse their password everywhere

[BBEHannes]

Only going to bother once in replying, then I’ll await the app owner’s response;

I genuinely do not care about static/ private code or not. One perfect example that already justifies using MFA (for me) is a data breach.... Which already happened at Ring once in a less harmful way (check your email from this week for example) where it was suspected to have leaked user data. Remember that these days the code usually isn’t the biggest risk anymore but it are the users and how carefully Ring and its employees are with your data.

So maybe think outside of your box and start to except that not only the code is what makes/keeps application use safe. All I can do as a user is make it harder for anyone. MFA already helps a tremendous amount so your comments to me sound ridiculous. Now I would like to end this discussion here and await Dennie’s response.

[mruiter]

This data breach was about passwords list that got used as reference on ring accounts . So the reuse of passwords from another company that got hacked where used to test on ring accounts. So as said have a unique password for ring and I will not happen

As ring gets hacked by a data breach the will most likely also have youre mfa tokens

Verstuurd vanaf mijn iPhone

Op 21 dec. 2019 om 07:55 heeft BBEHannes notifications@github.com het volgende geschreven:

 Only going to bother once in replying, then I’ll await the app owner’s response;

I genuinely do not care about static/ private code or not. One perfect example that already justifies using MFA (for me) is a data breach.... Which already happened at Ring once in a less harmful way (check your email from this week for example) where it was suspected to have leaked user data. Remember that these days the code usually isn’t the biggest risk anymore but it are the users and how carefully Ring and its employees are with your data.

So maybe think outside of your box and start to except that not only the code is what makes/keeps application use safe. All I can do as a user is make it harder for anyone. MFA already helps a tremendous amount so your comments to me sound ridiculous. Now I would like to end this discussion here and await Dennie’s response.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[mruiter]

Also when ring sees a lot of users use the mfa from other apps then their certified ring app they will change the api again like a few times in the past and the app will stop working again for a few months until someone hacks the api again

Verstuurd vanaf mijn iPhone

Op 21 dec. 2019 om 07:55 heeft BBEHannes notifications@github.com het volgende geschreven:

 Only going to bother once in replying, then I’ll await the app owner’s response;

I genuinely do not care about static/ private code or not. One perfect example that already justifies using MFA (for me) is a data breach.... Which already happened at Ring once in a less harmful way (check your email from this week for example) where it was suspected to have leaked user data. Remember that these days the code usually isn’t the biggest risk anymore but it are the users and how carefully Ring and its employees are with your data.

So maybe think outside of your box and start to except that not only the code is what makes/keeps application use safe. All I can do as a user is make it harder for anyone. MFA already helps a tremendous amount so your comments to me sound ridiculous. Now I would like to end this discussion here and await Dennie’s response.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[denniedegroot]

MFA will not be implemented by me. There is no documentation and reverse engineering is a lot of work only to be blocked again by Ring. I will look into the issue why devices are not found anymore which is issue #37.

[mruiter]

@BBEHannes and @Fire69

Since you didn’t accept the calling of ring it’s mfa bullshit from a security expert like me ....

Here is the report from motherboard . If you don’t know who that is google it.

Motherboard confirmed that Ring cameras have shoddy security measures — such as not telling users when other people log in, when the cameras are being actively watched and by using a weak form of two-factor authentication.

[BBEHannes]

People who are selfclaimed security experts indeed do not convince me with such answers, sorry for that.

@denniedegroot, thank you for your answer!

[mruiter]

Lol not self claimed but largely hired by top company’s 😂

Verstuurd vanaf mijn iPhone

Op 22 dec. 2019 om 12:30 heeft BBEHannes notifications@github.com het volgende geschreven:

 People who are selfclaimed security experts indeed do not convince me with such answers, sorry for that.

@denniedegroot, thank you for your answer!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[Fire69]

@BBEHannes and @Fire69

Since you didn’t accept the calling of ring it’s mfa bullshit from a security expert like me ....

Here is the report from motherboard . If you don’t know who that is google it.

Motherboard confirmed that Ring cameras have shoddy security measures — such as not telling users when other people log in, when the cameras are being actively watched and by using a weak form of two-factor authentication.

Not replying doesn't mean people don't accept your answer. Maybe I just didn't have the time yet?

First, I don't reuse passwords, except for some really unimportant things. Second, whether or not it's safer doesn't really interest me. If it is, great, if it isn't, also ok. I just like it because getting the notification when someone tries to log in is a warning I have to change my password.

[mruiter]

@fire69

I tagged you because you asked what static code . The motherboard report referenced to the mfa static code that isn’t secure at all

Verstuurd vanaf mijn iPhone

Op 22 dec. 2019 om 14:02 heeft Fire69 notifications@github.com het volgende geschreven:

 @BBEHannes and @Fire69

Since you didn’t accept the calling of ring it’s mfa bullshit from a security expert like me ....

Here is the report from motherboard . If you don’t know who that is google it.

Motherboard confirmed that Ring cameras have shoddy security measures — such as not telling users when other people log in, when the cameras are being actively watched and by using a weak form of two-factor authentication.

Not replying doesn't mean people don't accept your answer. Maybe I just didn't have the time yet?

First, I don't reuse passwords, except for some really unimportant things. Second, whether or not it's safer doesn't really interest me. If it is, great, if it isn't, also ok. I just like it because getting the notification when someone tries to log in is a warning I have to change my password.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[Fire69]

@mruiter : Just installed 2.1.4. And I immediately got an mail from Ring reporting a new login. I like that, this is just as good as having MFA. It's about knowing you have to change your password, not about them not being able to get past the MFA.