Ring’s latest security updates are good, but still opt-in

Ring, the video doorbell maker dubbed the “largest civilian surveillance network the U.S. has ever seen,” is rolling out new but long overdue security and privacy features.

The Amazon-owned company’s reputation was bruised after a spate of account breaches in late 2019, in which hackers broke into Ring user accounts and harassed children in their own homes. Then, taking advantage of Ring’s weak security practices, hackers developed bespoke software to brute-force the passwords on Ring accounts, which at this point were only protected by the user’s password. All the while, there were several caches of Ring user passwords floating around the dark web. Ring initially blamed its users for using weak passwords (like “password” and “12345678,” which Ring allowed users to set as passwords), but a couple of months later the company acknowledged its failings by rolling out mandatory two-factor authentication by text message. It was a good start, aimed at making it more difficult — albeit only slightly — to curb the bulk of automated account hijacks.

But now Ring is going a step further by rolling out app-based two-factor authentication, which many companies already offer (and have for some time) as it provides the far more secure delivery of two-factor codes using an encrypted connection, compared to text messages, which are susceptible to interception.

Ring is also enabling CAPTCHA in its apps to add another hurdle aimed at making automated login attempts more difficult by prompting users to prove they aren’t a robot.

Also announced is the launch of video end-to-end encryption, which Ring first rolled out earlier this year as a technical preview. One of Ring’s most flaunted (though highly controversial) features is allowing users to share video footage directly with more than 1,800 local police departments that are partnered with Ring. That said, police with a search warrant can always just demand the footage from Ring instead. Video end-to-end encryption will mean that any video captured from a Ring device can only be accessed by the account owner — and not Ring, or any of its law enforcement partners.

Ring’s CTO Josh Roth said in a blog post that Ring believes that “our customers should control who sees their videos.” If that were true, Ring would have switched on end-to-end encryption to all users, giving every account owner privacy by default. But that would interfere with the company’s efforts to expand its police partnerships, which in turn help to get Ring devices into the hands of local residents.

Compared to past security updates, which didn’t go nearly far enough, Ring’s new features make meaningful changes that give users the choice to make their accounts more secure and their data private. But the keyword there is “choice,” since users will have to opt-in to the new features. That isn’t unusual in itself; companies seldom force security changes on users, fearing that it would add friction to the user experience — though recovering from an account hack because of poor security controls is undoubtedly worse.

Switching to app-based two-factor authentication is easy, just go to Ring’s account settings and switch from codes sent by text message to codes delivered by an authenticator app. We have a whole explainer on why it’s important, why you should use an app and which apps you might want to use.

But the biggest change Ring users can make is to switch on end-to-end encryption on their accounts by going through the advanced settings of Ring’s control center. Switching on end-to-end encryption won’t limit what you can do with your account or stop you from sharing video footage with friends, family or the police, but it will give you peace of mind knowing that you will have control of your data and what you do with it, and not Ring.