1. Theme
  2. Technology
  3. Cybersecurity
February 19, 2020updated 16 Jun 2022 11:41am

Amazon Ring doorbells make two-factor authentication mandatory

By Ellen Daniel

Amazon’s Ring doorbell will now require two-factor authentication to improve “privacy, security and control”.

The Ring doorbell is fitted with a camera, a motion sensor and two-way communication, designed to improve home security. However, there have been reports of devices being hacked, presenting a security and privacy risk.

Customers are already offered two-factor authentication (2FA), but it has now been made mandatory.

When users log into their Amazon Ring account, they’ll receive a six-digit verification code, sent via email or SMS, which needs to be entered before accessing their Ring account. Users will now also be notified via email when someone logs into their account.

This comes just days after Google Nest, the company’s smart home products arm, announced it was also making two-factor authentication compulsory.

“The need for a multi-layered approach to identity protection”

It is estimated that by 2025, there will be 75 billion internet connected devices worldwide, but the security of smart devices such as doorbells or home security systems has come under scrutiny after reports that devices could be easily hacked.

This is because many devices come with a default password, which users may not change, or they may use a password that has been used elsewhere, making it possible for attackers to gain access to their account.

Earlier this month, the UK Government’s Department for Digital, Culture, Media & Sport proposed new regulations for IoT devices, including banning factory setting passwords.

Simon Wood, CEO, Ubisecure said:

“The news that Amazon has introduced 2 Factor Authentication (2FA) for its Ring customers is further evidence of the need for a multi-layered approach to identity protection. As smart home technology evolves at a rapid pace, it is now essential that organisations provide consumers with security solutions that can’t be passed onto someone else, guessed by brute-force, or re-used if found on a breached database – which is why many firms are adopting 2FA or Multi-Factor Authentication (MFA).

“When considering implementing MFA or 2FA for customer-facing applications, it’s critical that firms think about the usability. Customers are not employees and will not tolerate systems that present a poor user experience. But a good MFA system can increase both convenience and security, when implemented in the right way.

“To avoid reliance on one sole technique, biometric or device, enabling an open integration platform for 2FA through applications such as the W3C Web Authentication gives users a wide selection of 2FA tools. It gives the ability to register multiple authenticators, as well as to implement so-called ‘username-less authentication’ and ‘passwordless authentication’. Additionally, a proven identity platform is key for guaranteeing different levels of MFA are in place.”

“It can still be compromised”

Last month, the Electronic Frontier Foundation found that Amazon Ring doorbells were providing customer data, such as IP addresses, names and mobile networks to third parties, including Facebook and Google.

The company addressed this, saying that it never sold users’ personal information, but did “occasionally collaborate with third-party service providers that specialise in delivering different benefits”. However, it said that it was temporarily pausing the use of most third-party analytics services while it develops different options for users to limit third-party sharing.

Users can now also opt out of personalised advertising.

Jake Moore, Cybersecurity Specialist at ESET said that although this is a move in the right direction, 2FA does not mean that devices cannot be hacked:

“After all the backlash Ring has received for their privacy and security issues, this is an excellent move and must be commended. Google recently added 2FA as default in Nest and, as in usual fashion, other manufacturers follow suit.

“Making 2FA default adds an extra layer of protection. It must be noted that it can still be compromised, but it is that much harder for a cyber criminal to carry out.

“To go one step further, downloading an authenticator app is even quicker and will remove having to use a mobile phone number, which is where some of the other security issues lie. Once devices like this make it easy to use, security finally becomes convenient.”

Read more: UK government proposes stricter IoT security requirements