Following scandals involving hijacked camera feeds the company blamed on its users and leaky data, Amazon-owned Ring is making two-factor authentication mandatory on its devices. As of this week, users will have to input a one-time, six-digit code via email or SMS any time they log in to their camera feeds. The company is also introducing new controls for what information is shared with third-parties.
Two-factor authentication (2FA) was already possible on Ring devices; however, it was opt-in—meaning plenty of folks didn’t take advantage of the additional security. Ultimately, making 2FA mandatory is good for protecting users, even if some people might complain it adds an extra step.
In a blog, Ring notes that all users—including any Shared Users on an account—will now have to enter a one-time six-digit passcode before the company will grant access to feeds. In December, the company also rolled out security features that alerted users any time a person successfully logged into an account from a new device or browser. These updates, it says, will also continue.
The company is also rolling out some new tools to help users manage which third-parties have access to their data. Ring’s blog describes its third-party partnerships in generous terms—mostly emphasizing that it does not “sell” personal information and that its work with third-parties is about “delivering benefits” to users and the “best possible Ring experience.” That said, the new tools are a clear response to the spate of data leaks involving Ring cameras in recent months.
Late last month, the Electronic Frontier Foundation found several third-party trackers in Ring’s Android app, including Facebook. Meanwhile, in December, several news outlets reported thousands of data leaks involving Ring cameras—so much so that some tech review sites revised previously glowing recommendations of Ring’s cameras.
In response, Ring says its “temporarily pausing” most of its third-party analytics services in the Ring apps while working on ways to give users a greater ability to opt-out. More information regarding that will come out in the spring, the company says. As for a more immediate option, Ring says starting this week, customers can opt-out of sharing data for the express purpose of personalized ads, though they “may still see non-personalized Ring ads from time to time.”
Today’s updates are just the latest in Ring’s attempts to get ahead of its privacy problem. A few weeks ago, the company pushed a major app update with better security and privacy features, but it doesn’t change the fact that many of these features should have been built-in from the get-go. One thing Ring’s blog also doesn’t mention is how it has hundreds of partnerships with local law enforcement agencies—meaning buying one (which you shouldn’t) makes you a de facto cog in the surveillance state via its Neighbors app, which users are automatically enrolled in with no option to opt-out. Ring’s security practices have been questionable for a while now, with senators calling for greater scrutiny into the company over its problematic data protection policies.
Mandatory 2FA will begin rolling out today and should reach all Ring customers by the end of the week, according to the company. While updates are a step in the right direction, they’re also reactionary and arguably too little, too late.