Leery of losing microseconds of your life by using two-factor authentication (2FA) to keep your stuff safe from hackers?
Alas for you, but hurray for security. Bit by bit, the Internet of Things (IoT) is getting a wee bit more secure: last week, Google announced that it would soon begin forcing users of its Nest gadgets to use 2FA, and this week, security came knocking for Amazon’s Ring video doorbells.
On Tuesday, Ring president Leila Rouhi said in a blog post that starting immediately, the once-optional authentication is going to be mandatory for all users when they log in to their Ring accounts. That will prevent unauthorized users from getting into Ring accounts, even if they have your username and password.
This makes a ton of sense. Far too many people suffer from the debilitating condition of password-reuse-itis – debilitating to any account that lacks a unique, strong password, that is. As Mr. “I Hacked Disqus/Imgur/Kickstarter” Kyle Milliken advised when he got out of jail in September, he pulled off his crimes by using lists of login credentials, automatically stuffing sites to get control over as many accounts as he could.
By the end of his run, he had acquired 168 million login credentials and had earned around $1.4 million. He cooperated with the FBI, gave up a black hat colleague, and received a 17-month prison term in a federal work camp.
What helped him the most? Password reuse, he said.
We strongly recommend avoiding password reuse, but heaven knows it doesn’t seem to be going anywhere anytime soon. That’s what makes 2FA a good backup: even if your login gets stolen, and even if you’ve reused those credentials, a hacker still has to have access to your second factor – for example, your phone or your email, where you receive a one-time code to plug in as additional authentication – in order to log in to your account.
Every time you want to login to your Ring account, you’ll receive a one-time, six-digit code to verify your login attempt. That also goes for any Shared Users on your account. You’ll be able to choose whether you want to get that code sent to the email address you have listed on your Ring account or as a text message sent to your phone. After you’ve entered the code, you’ll be able to access the app and view footage from your outdoor and indoor cameras.
Besides your main Ring account, you’ll be required to use 2FA to access Ring’s web services and its app. That includes Ring’s Neighbors app, where users can share video footage.
Rouhi says that Ring is also changing how it shares data with third-party providers. The company has already temporarily paused the use of most third-party analytics services in Ring apps and on its site, she said. Plus, starting in early spring (for the Northern Hemisphere), users will be getting additional options to limit the data that’s shared with those third parties. Opting out will be enabled in Ring’s Control Center.
Beginning this week, Ring users will also be able to opt-out of personalized advertising. That doesn’t mean you won’t still see ads, but they won’t be targeted at you. That opt-out choice will also appear in Control Center.
Best practices
Rouhi also passed along this list of security best practices, all of which are good steps for any and all of your accounts, in addition to Ring:
- Don’t reuse passwords between your various online accounts – instead, generate unique, strong passwords for each account using a password manager.
- Turn on 2FA. If a website gives you the option to turn on two-factor authentication, do that. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:
- Keep your phone numbers and email addresses up to date on your various online accounts.
- Add a PIN or passcode to your smartphone account to help prevent unauthorized changes to your mobile account. You can do this by logging into your mobile phone account or calling your wireless carrier.
- Upgrade to the latest version of your apps and operating systems, including the latest Ring apps.
- View and manage your trusted devices in your “Authorized Client Devices” section of Control Center on your Ring app.
- Add Shared Users to your Ring account instead of sharing your login credentials. You can also view and manage Shared Users in Control Center.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
MrGutts
A international law should be created so that 2FA is the standard for access every where. You wanna open your house 2FA, get in and turn on your car 2FA ( that would cut down on drunk driving ), Posting on Facebook or Twitter requires 2FA for every damn post. 2FA for turning down/up the temperature in your house, the 2FA is your other half for approval.
Mags
Makes Ring useless…. someone comes to your house while you are gone. Ring app comes up. Makes you log in . Then makes you wait for a text to enter that number. Finally you are logged in. By now, the person at the door that you wanted to talk to is long gone. App is worthless. Why penalize those who use strong passwords for those idiots that do not?
Paul Ducklin
I don’t imagine it will make you do 2FA every time you launch the app on an already-authorised device to see who’s at the door. This seems to be when logging into your online account, e.g. to change passwords, adjust configuration settings and so on.
Karl
It does the same on mine. Logged out everytime I try and use the app and the app is already authorised. Just to note I don’t have adguard nor any other as blocking software on my device