Ring is finally requiring a basic security feature to help prevent hacks

Following a spate of customer complaints and lawsuits that claimed Amazon’s Ring home surveillance system left customers vulnerable to hacks, the company announced Tuesday that it’s finally making two-factor authentication mandatory for its devices. Also, following reports that the company’s apps shared personal information with third parties, Ring said it was suspending third-party analytics services and giving customers the ability to opt out of data sharing with advertisers.

Now that Ring is rolling out two-factor authentication for all its apps and web services (including its social media platform Neighbors), customers trying to log into their accounts will get a six-digit code via text or email that they must enter along with their password. This helps prevent hacks from parties who only have the account owner’s password — assuming that the account owners using the authentication-by-email option aren’t using the same password for their email.

Last month, Ring had made two-factor authentication a default setting on new devices, but that didn’t protect its existing customers. Today’s change comes a week after Google announced it will be requiring two-factor authentication for all Nest accounts that aren’t connected to a Google account.

Ring did not respond to Recode’s request for comment on if this recent decision was influenced by Google, but the company did say it was “the next step in a long line of privacy and security updates Ring is making to bring even more transparency, privacy, and control to users via Control Center.”

A Ring spokesperson also told Recode that mandatory two-factor authentication will be rolled out over the next few days, so users may have to wait a little while longer before they are forced to secure their accounts. They must also update their apps to the most recent version.

Here’s what the two-factor login screen will look like, for those of you who didn’t enable it when it was optional. (But you really should have it on every account that offers it. Look how easy it is!):

Recode had previously written about how it was a disservice to Ring’s customers not to make this security measure mandatory, considering how invasive it would be for an unauthorized user to access the company’s devices — which, as several stories and subsequent lawsuits alleged — was a very real possibility. Several Ring customers reported that hackers commandeered their cameras — some of which were inside their homes — and talked to and threatened them through Ring’s two-way remote speaker feature.

While Ring had offered two-factor authentication as an option, that’s not nearly as effective as making it required for users. Studies have shown that people are unlikely to use two-factor authentication when it is offered, and at least one of the parties suing Ring claimed he didn’t know two-factor authentication was even an option.

Ring also announced that it has “temporarily” suspended “most” third-party analytics services in its apps and websites. A recent report from the Electronic Frontier Foundation (EFF) noted that Ring’s app for Android devices sent personally identifiable information about its customers to third-party trackers, including Facebook.

Ring is also offering customers the ability to opt out of having their information shared with advertisers. Platforms like Facebook, Google, and Twitter also allow users to refuse to have their information shared with advertisers. But this does not stop them from collecting that information in the first place.

A representative for the EFF told Recode the group was in favor of Ring’s new policies, but it does not think they go far enough.

“These reforms come after a backlash against Ring for its recklessness in considering security concerns, and did not happen until after customers’ privacy and personal information were compromised,” Matthew Guariglia, a policy analyst at EFF, said. “Making two-factor authentication mandatory and offering more transparency and control over third-party trackers are steps in the right direction. However, we continue to express serious concerns about Ring’s fundamental problems of surveillance and enmeshment with law enforcement that threaten the larger community.”

Users can opt out of data sharing in Ring’s Control Center, which the company introduced a few weeks ago. The control center lets account owners see and manage who has access to their accounts. There is also a section that lets users specify how and when law enforcement can access their Ring footage, including a new option that allows them to opt out of this entirely. Ring’s partnerships with almost 900 police departments across the country have been a major source of controversy for the surveillance product. Users have always had the ability to turn down police requests to see their footage, but now they can opt out of receiving police access requests from the start.

To opt out of third-party data sharing on your Ring app, go to the Menu (tap the three horizontal lines on the top left) > Control Center > Privacy information and control > Third-party service providers > Personalized advertising. Toggle the switch to disable.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.