Ring to enable 2FA for all user accounts after recent hacks
Security camera vendor Ring announced today plans to forcibly enable two-factor authentication (2FA) for all user accounts.
Prior to today, Ring had provided a 2FA option for account owners, but the feature was not enabled by default, being left at each user's discretion.
The move to make 2FA mandatory comes after a long list of reports about hackers breaching Ring accounts and then spying on users in their homes.
In most cases, hackers used "dictionary" or "credential stuffing" attacks to gain access to Ring accounts that used easy-to-guess passwords, or passwords that have been leaked online during breaches at other services.
Tools to break into Ring accounts have been disseminated online, along with lists of hacked accounts and their passwords.
Some hackers even recorded themselves scaring Ring account owners in their homes, making threats, or lewd comments and then publishing the recordings part of "podcasts" in a Discord channel.
These hacks have become common since December last year. Ever since they became mainstream, Ring's management has been criticized for not doing enough to secure user accounts.
In December last year, Ring tried to help users by adding "login notifications" for every time someone logged into a Ring account in the hopes that users would spot unauthorized logins. A month later, in January, Ring also added a new control center section where users could see other devices connected to their Ring accounts, and forcibly disconnect devices they believed were operated by hackers. However, both features were dismissed as being insufficient.
Today's move to make 2FA a mandatory feature is a first step in the right direction. The reason is that the first two features were passive protections, allowing users to react following a hack. Today's move is an active protection because 2FA will prevent hackers from accessing Ring accounts in the first place.
"With every login on your Ring account, you'll receive a one-time, six-digit code to verify your login attempt," Ring President Leila Rouhi said today in a blog post announcing the move. "You'll need to enter that code before we will allow access to your Ring account."
Ring's new 2FA rule will start being enforced today, and users will be asked to choose between an email or SMS-based 2FA method the next time they log in.
Ring's move comes after Google made 2FA mandatory for all Nest users last week.
In addition, the Amazon-owned company also announced that beginning immediately, they are " temporarily pausing the use of most third-party analytics services in the Ring apps" and adding controls to the Ring settings center to let users opt-out of sharing their data with third-party service providers for the purpose of receiving personalized ads.