By Chris Tuzeneu

Whether you’ve received the popular smart speaker as a gift, or decided to jump on the 21^st century bandwagon of voice assistant-enhanced life, having an always-on speaker in your home can present some risks. Changing some privacy settings on the speaker, and securing the linked Amazon account, will help to mitigate that somewhat.

The Basics

There are some security practices that are universal, no matter what product or service you need to protect.

• Good passwords. A secure password should be, at minimum, 12-14 characters in length, regardless of what the service recommends as a minimum. 8-10 characters just isn’t enough anymore. And you should be using uppercase and lowercase letters, numbers, and special characters while avoiding words you might find in a dictionary. Think “passphrase” instead of “password” and you’ll be on the right track. And don’t reuse a password between any two services, because if one company gets compromised the crooks will try that same email address and password combination anywhere they can. If this sounds impossible to manage, it is. That is where password managers come in. LastPass, KeePass, and Bitwarden are all good password managers that can create and securely store passwords in a vault for you, and automatically fill them in when you need to sign in somewhere. Using a password manager is one of the best things you can do to keep yourself secure online.
• Multifactor Authentication (MFA). If a bad guy gets your password from a data breach, guessing, or phishing it out of you, your account is theirs – unless you have multifactor authentication enabled. This security control requires a hardware token or one-time passcode in addition to entering a password, and it’s another one of the best possible ways to secure any online account.

The Nuts and Bolts

The first step is to secure your Amazon account. We’ll start by setting up multifactor authentication. If you’re signed in to Amazon, mouseover the “Account and Lists” option from any page, then click “Your Account.”

Go to the “Login & security” section.

If you just started using a password manager and would like to set a more secure password, you can do so in the password area. For setting up MFA, use the “Two-Step Verification (2SV) Settings” section.

Your next option will be to choose how the codes are generated. It’s recommended not to use the less secure text message in favor of an authenticator app. On your smartphone, download Authy or Duo Security, code generator apps that allow backing up and restoring your accounts if you get a different phone.

You’ll be presented with an enrollment screen like the one above. Using the authenticator app, scan the QR code on the screen and enter the six-digit code into the verification box. This will complete the enrollment and enable MFA for your account. The next time you sign in to your account from a new computer or device, you will be prompted to enter a code with a screen like the one below. Enter the code from your app to complete the login process.

Now that your Amazon account is secure, let’s look at the privacy settings for Alexa on the Echo devices. As part of the setup process, you need to install the Amazon Alexa app from your device’s app store. Open the app and tap the menu at the top of the screen, then choose Settings. Toward the bottom is “Alexa Privacy.”

There are a couple things you might review here, depending on how long you have used the Echo devices for and if you have attached any Skills to them. But the most important option is “Manage Your Alexa Data.”

Here you can choose how Amazon uses your audio recordings and how long they keep them before deletion. Right now the lowest setting you can pick is 3 months retention of your audio recordings. Turning off the option “Use Voice Recordings to Improve Amazon Services and to Develop New Features” was recommended by several security researchers after recent privacy concerns surrounding what employees from third-party companies would actually review and transcribe what you said to your assistant. The option below it is similar, but related to the messages you send and receive using Alexa.

Back on the Alexa Privacy screen, going to “Manage Skill Permissions” will show you if any skills (analogous to apps on smartphones) have access to your personal information such as name, address, phone number, email address, payment and location information, and lists you make using Alexa. A spot check of those permissions is in order if you have installed any skills to increase the scope of Alexa’s abilities – as well as its ability to collect your information.