Leery of losing microseconds of your life by using two-factor authentication (2FA) to keep your stuff safe from hackers?

Alas for you, but hurray for security. Bit by bit, the Internet of Things (IoT) is getting a wee bit more secure: last week, Google announced that it would soon begin forcing users of its Nest gadgets to use 2FA, and this week, security came knocking for Amazon’s Ring video doorbells.

On Tuesday, Ring president Leila Rouhi said in a blog post that starting immediately, the once-optional authentication is going to be mandatory for all users when they log in to their Ring accounts. That will prevent unauthorised users from getting into Ring accounts, even if they have your username and password.

This makes a ton of sense. Far too many people suffer from the debilitating condition of password-reuse-itis – debilitating to any account that lacks a unique, strong password, that is. As Mr. “I Hacked Disqus/Imgur/Kickstarter” Kyle Milliken advised when he got out of jail in September, he pulled off his crimes by using lists of login credentials, automatically stuffing sites to get control over as many accounts as he could.

By the end of his run, he had acquired 168 million login credentials and had earned around $1.4 million. He cooperated with the FBI, gave up a black hat colleague, and received a 17-month prison term in a federal work camp.

What helped him the most? Password reuse, he said.

We strongly recommend avoiding password reuse, but heaven knows it doesn’t seem to be going anywhere anytime soon. That’s what makes 2FA a good backup: even if your login gets stolen, and even if you’ve reused those credentials, a hacker still has to have access to your second factor – for example, your phone or your email, where you receive a one-time code to plug in as additional authentication – in order to log in to your account.

Every time you want to login to your Ring account, you’ll receive a one-time, six-digit code to verify your login attempt. That also goes for any Shared Users on your account. You’ll be able to choose whether you want to get that code sent to the email address you have listed on your Ring account or as a text message sent to your phone. After you’ve entered the code, you’ll be able to access the app and view footage from your outdoor and indoor cameras.

Besides your main Ring account, you’ll be required to use 2FA to access Ring’s web services and its app. That includes Ring’s Neighbors app, where users can share video footage.

Rouhi says that Ring is also changing how it shares data with third-party providers. The company has already temporarily paused the use of most third-party analytics services in Ring apps and on its site, she said. Plus, starting in early spring (for the Northern Hemisphere), users will be getting additional options to limit the data that’s shared with those third parties. Opting out will be enabled in Ring’s Control Center.

Beginning this week, Ring users will also be able to opt-out of personalised advertising. That doesn’t mean you won’t still see ads, but they won’t be targeted at you. That opt-out choice will also appear in Control Center.

Best practices

Rouhi also passed along this list of security best practices, all of which are good steps for any and all of your accounts, in addition to Ring:

  • Don’t reuse passwords between your various online accounts – instead, generate unique, strong passwords for each account, and if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too.  Watch a video on how to pick a proper password:
    (No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
  • Keep your phone numbers and email addresses up to date on your various online accounts.
  • Add a PIN or passcode to your smartphone account to help prevent unauthorised changes to your mobile account. You can do this by logging into your mobile phone account or calling your wireless carrier.
  • Upgrade to the latest version of your apps and operating systems, including the latest Ring apps.
  • View and manage your trusted devices in your “Authorised Client Devices” section of Control Center on your Ring app.
  • Add Shared Users to your Ring account instead of sharing your login credentials. You can also view and manage Shared Users in Control Center.

Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner