Roku enforces 2FA following major security incidents
All Roku users now need to authenticate login attempts
Roku is now making its users enable two-factor authentication (2FA), after it suffered two sizeable security breaches recently.
In the both incidents, customer data was leaked: first in March, when 15,000 accounts were found for sale on the dark web, which could have allowed those with access to them to purchase subscriptions with the stored payment details within.
Then, earlier in April 2024, Roku suffered another cyberattack which affected over half a million users. Accounts were attacked using the credential-stuffing method, where hackers try to brute force accounts using credentials obtained in other breaches, hoping users have reused the same username and passwords for their Roku accounts.
Extra protection
Users affected by the latter incident were made to change their Roku account passwords. But now, the streaming service is making two-factor authentication mandatory for all users. The change is already taking place, with users being notified via email to set it up.
2FA typically involves having to input a time-sensitive code - also known as a Time-based One-time Password (TOTP) - after logging in with your username and password. It adds an extra layer of security, to ensure that it is really the user, and not a hacker, who is trying to access your account.
The TOTP is usually sent to your mobile device, either via an SMS text or using a dedicated authenticator app. These generate a series of codes which constantly refresh for each account that has 2FA enabled. The code must be inputted on the login page in question before it changes to a new code.
For organizations that want to increase security even further, physical security keys can be used instead, which perform the same task, but minimize the risk of being hacked over using a smartphone to generate codes.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Despite the extra protection, 2FA (and also Multi-Factor Authentication (MFA)) is not invulnerable. For instance, SMS is thought to be the least secure delivery method for 2FA codes, since phone numbers can be cloned by cybercriminals in SIM-swapping scams, allowing them to read all the messages you receive.
Cybercriminals can also bombard users with so-called MFA fatigue attacks, where users are prompted to authenticate an illegitimate login attempt, which they accept just to make the notifications stop. These attacks rely on authentication methods that simply ask the user to confirm or deny a login attempt, without needing to input a code.
There have also been reports of hackers stealing session cookies that have already been authenticated by users with MFA, meaning they don't even need to have access to the codes to break into an account.
MORE FROM TECHRADAR PRO
Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.