Home Security Cameras From Top Brands Lack Basic Digital Security Measures

Many models don’t offer two-factor authentication or robust privacy policies, Consumer Reports finds

When you shop through retailer links on our site, we may earn affiliate commissions. 100% of the fees we collect are used to support our nonprofit mission. Learn more.

security iStock-1088809018

You buy a security camera to keep your home safe, but is your camera keeping your privacy and data safe? CR’s Digital Lab evaluates digital products and services for how well they protect consumers’ privacy and security.

After six weeks of testing that included evaluating more than 70 privacy and security criteria on 26 cameras, our experts found that nine security-camera brands—Blue by ADT, Canary, D-Link, Eufy, Honeywell Home, Logitech, Toucan, TP-Link, and Zmodo—still lack two-factor authentication, a more stringent security measure than using just a single password to log in.

There’s no good excuse for not offering it. “Two-factor authentication is an easy-to-implement second layer of authentication that, when enabled, can stop some hackers’ attacks immediately, protecting users' accounts,” says Cody Feng, CR's test engineer for privacy and security. Many manufacturers’ privacy policies also do a poor job of detailing exactly how they use the data from their customers’ cameras.

Two-factor authentication helps prevent cameras from being hacked by sending users a temporary, one-time passcode via text message, email, or phone to use in addition to their password for logging into their accounts. It’s a safeguard against credential stuffing, a tactic where hackers use usernames and passwords from data breaches to log into accounts.

More on Security Cameras & Privacy

It’s one of the key safeguards CR looks for in our home security camera tests, in addition to other indicators for privacy and security derived from The Digital Standard, an open-source set of criteria created by CR and other organizations for evaluating digital products and services.

“Unfortunately, many company policies are vague and reserve broad rights to put your data to work for the company's own ends, or they don't have the best security measures in place,” says Justin Brookman, director of privacy and technology policy for Consumer Reports. “Testing helps us shine a light on the companies that do a better job handling customer information, and to call out those whose policies need to change.”

As part of our overall digital privacy and security efforts, Consumer Reports sent a letter to 25 major home security manufacturers back in January recommending specific measures for improving the privacy and security of their products.

In all, we evaluated 26 models in this year’s privacy and data security tests; CR members with digital access can see the results in our wireless security camera ratings.

Two cameras in our tests, the D-Link DCS-2630L and the Guardzilla 360, are no longer supported by their manufacturers. D-Link recommends that owners stop using the camera (if you own the DCS-2630L, you can contact the company by emailing support@dlink.com). Guardzilla recently went out of business and did not respond to our request for more information. Because Guardzilla’s cameras no longer work, we are labeling the Guardzilla 360 camera a CR Don’t Buy.

Tougher Privacy and Security Tests

This year, CR weighed 10 key criteria more heavily than in the past. “We believe these are essential for consumer protection,” says Maria Rerecich, the senior director of product testing at CR.

These security measures include two-factor authentication, automatic software updates, a visual indicator light that lets you know the camera is active, and email notifications for when a user logs in from a new device or IP address.

Many brands do a good job of adopting these security measures, and most earn a Very Good rating for data security in our tests. But there is definitely room for improvement.

For data privacy, we examine privacy policies and other documentation to see whether manufacturers disclose how they collect your data, who they share your data with, whether they attempt to minimize data collection, and whether consumers have a way to request copies of their data or ask for it to be deleted.

“Our evaluation for data privacy leans heavily on companies explicitly stating how they are using, storing, and sharing consumers' data,” says Rerecich. “Since wireless security cameras capture and transmit sensitive data from inside a consumer's home, we have adjusted our scoring methodology to more accurately reflect the shortcomings of these privacy policies.”

As a result of our scoring change, no camera model now receives a data privacy rating higher than Good, which is the middle of our ratings scale.

The Gaps in Two-Factor Authentication

Consumer Reports reached out to the nine brands that don’t offer two-factor authentication and asked if and when they plan to implement it. We received responses from these seven companies:

• Blue by ADT will add multifactor authentication before the end of the year.
• Canary will add it soon.
• D-Link is planning to add the feature to its mobile app before Christmas 2020.
• Eufy is starting to deploy two-factor authentication in the U.S. now.
• Honeywell Home is looking into ways to add it.
• Logitech says the feature is being “actively developed.”
• TP-Link is “targeting” a release for the feature in Q4.

The cameras in our ratings that currently offer two-factor authentication are made by Amazon, Arlo, Blink, Google Nest, Ring, Samsung SmartThings, and Wyze. At the time of our tests, none of the cameras—except Samsung SmartThings—prompted you to enable the security feature. Rather, the feature was buried in the camera app’s settings.

But both Blink and Ring have since made changes to the feature so that now, both, along with Samsung, have two-factor authentication via email by default, which CR would like to see all brands do. Additionally, Samsung is the only company that prompts users to enable two-factor authentication via text message (which we consider better for the user) when they set up a camera.

“We’re glad to see these companies provide an extra layer of protection, and we hope more companies follow their lead,” says Feng.

Though many of the cameras lacked two-factor authentication, most offered a number of the other nine security features we looked for in our tests. As a result, most of the 26 models we evaluated receive a Very Good rating for data security.

There are two standouts: Arlo and, again, Samsung SmartThings. Models from both brands receive an Excellent rating for digital security. Google Nest cameras earn a Very Good rating, a drop from their Excellent rating last year, due to CR’s tougher data security scoring.

Poor Privacy Policies

To evaluate a company’s data privacy practices, we pour over its privacy policy, terms of service, customer FAQs, and other documentation to rate how thorough the company is in disclosing how it uses consumers' data.

“Inscrutable privacy policies are the norm, unfortunately,” says CR's Brookman. “Companies are required by law to have a privacy policy, but the law doesn't really require much in the way of detail or specificity, so a lot of companies try to get away with saying as little as possible.”

We also rate how well companies’ stated privacy policies protect consumers.

Eight companies earned a Good rating, the highest score any company received. Of those, Google Nest stood out for doing the best job disclosing what user data it shares and with whom, though it doesn’t offer good tools for obtaining and deleting your data, nor does it try to minimize data collection.

Top Cameras From CR’s Tests

These are the top six wireless security cameras from our ratings. All offer strong data security and good data privacy, as well as impeccable video quality.

For more ratings and reviews of more models, check our wireless security camera ratings and buying guide.

Clarification: This article has been updated with information about D-Link's plans to implement two-factor authentication and information on brands that have started offering two-factor authentication by default since we conducted our tests.

Home Content Creator Daniel Wroclawski

Daniel Wroclawski

I'm obsessed with smart home tech and channel my obsession into new stories for Consumer Reports. When I'm not writing about products, I spend time either outside hiking and skiing or up in the air in small airplanes. For my latest obsessions, follow me on Facebook and Twitter (@danwroc).