Ring Finally Rolls Out Mandatory Two-Factor Authentication After Privacy Scandals

Illustration for article titled Ring Finally Rolls Out Mandatory Two-Factor Authentication After Privacy Scandals
Photo: Getty Images

Following scandals involving hijacked camera feeds the company blamed on its users and leaky data, Amazon-owned Ring is making two-factor authentication mandatory on its devices. As of this week, users will have to input a one-time, six-digit code via email or SMS any time they log in to their camera feeds. The company is also introducing new controls for what information is shared with third-parties.


Two-factor authentication (2FA) was already possible on Ring devices; however, it was opt-in—meaning plenty of folks didn’t take advantage of the additional security. Ultimately, making 2FA mandatory is good for protecting users, even if some people might complain it adds an extra step.

In a blog, Ring notes that all users—including any Shared Users on an account—will now have to enter a one-time six-digit passcode before the company will grant access to feeds. In December, the company also rolled out security features that alerted users any time a person successfully logged into an account from a new device or browser. These updates, it says, will also continue.

The company is also rolling out some new tools to help users manage which third-parties have access to their data. Ring’s blog describes its third-party partnerships in generous terms—mostly emphasizing that it does not “sell” personal information and that its work with third-parties is about “delivering benefits” to users and the “best possible Ring experience.” That said, the new tools are a clear response to the spate of data leaks involving Ring cameras in recent months.

Late last month, the Electronic Frontier Foundation found several third-party trackers in Ring’s Android app, including Facebook. Meanwhile, in December, several news outlets reported thousands of data leaks involving Ring cameras—so much so that some tech review sites revised previously glowing recommendations of Ring’s cameras.

In response, Ring says its “temporarily pausing” most of its third-party analytics services in the Ring apps while working on ways to give users a greater ability to opt-out. More information regarding that will come out in the spring, the company says. As for a more immediate option, Ring says starting this week, customers can opt-out of sharing data for the express purpose of personalized ads, though they “may still see non-personalized Ring ads from time to time.”


Today’s updates are just the latest in Ring’s attempts to get ahead of its privacy problem. A few weeks ago, the company pushed a major app update with better security and privacy features, but it doesn’t change the fact that many of these features should have been built-in from the get-go. One thing Ring’s blog also doesn’t mention is how it has hundreds of partnerships with local law enforcement agencies—meaning buying one (which you shouldn’t) makes you a de facto cog in the surveillance state via its Neighbors app, which users are automatically enrolled in with no option to opt-out. Ring’s security practices have been questionable for a while now, with senators calling for greater scrutiny into the company over its problematic data protection policies.

Mandatory 2FA will begin rolling out today and should reach all Ring customers by the end of the week, according to the company. While updates are a step in the right direction, they’re also reactionary and arguably too little, too late.


Consumer tech reporter by day, danger noodle by night. No, I'm not the K-Pop star.


So, they are FORCING, the silly Nest users to do what they could / should have done from the very beginning?


Always found this or anything as simple as doing two factor authentication or a stronger password ridiculous to call it hacking.

This was a crime of opportunity for slightly smart people (not true hackers) who found this (allover Reddit, twitter, etc) and looked in on these cameras.

Always love how the media HYPES the shit out of this or similar and fails to point out that simply using a stronger password or better, two factor authentication (which was already available) would be a simple fix.

People are their own worst enemy.