Securing Alexa

Whether you’ve received the popular smart speaker as a gift, or decided to jump on the 21st century bandwagon of voice assistant-enhanced life, having an always-on speaker in your home can present some risks. Changing some privacy settings on the speaker, and securing the linked Amazon account, will help to mitigate risks.

The Basics

Some security practices are universal, no matter what product or service you need to protect.

  • Good passwords. A secure password should be 12 to 14 characters in length at least, regardless of what the service recommends as a minimum. A password of 8 to 10 characters just isn’t enough anymore. You should also use uppercase and lowercase letters, numbers, and special characters while avoiding words you might find in a dictionary. Think “passphrase” instead of “password,” and you’ll be on the right track. Never reuse a password between any two services, because if one company gets compromised, the crooks will try that same email address and password combination anywhere they can. If all of this seems impossible to manage, it is. That’s what password managers are for. LastPass, KeePass, and Bitwarden are all good password managers that can create and securely store passwords in a vault for you — and then automatically fill them in when you need to sign in somewhere. Using a password manager is one of the best things you can do to keep yourself secure online.
  • Multifactor Authentication (MFA). If a bad guy gets your password from a data breach, by guessing, or by phishing it out of you, your account is theirs – unless you have multifactor authentication enabled. This security control requires a hardware token or a one-time passcode in addition to a password, and it’s another one of the best possible ways to secure any online account.

The Nuts and Bolts

The first step is to secure your Amazon account. We’ll start by setting up multifactor authentication. If you’re signed in to Amazon, mouse over the “Account and Lists” option from any page, then click “Your Account.”

Text Box: Amazon, Kindle, Echo, Alexa, Dash, Fire and all related logos are trademarks of Amazon, Inc., or its affiliates.

Go to the “Login & security” section.

If you just started using a password manager and would like to set a more secure password, you can do so in the password area. For setting up MFA, use the “Two-Step Verification (2SV) Settings” section.

Your next option will be to choose how the codes are generated. It’s best not to use the less-secure text message in favor of an authenticator app. On your smartphone, download Authy or Duo Security, code generator apps that allow backing up and restoring your accounts if you get a different phone.

You’ll see an enrollment screen like the one above. Using the authenticator app, scan the QR code on the screen and enter the six-digit code in the verification box. This will complete the enrollment and enable MFA for your account. The next time you sign in to your account from a new computer or device, you will be prompted to enter a code with a screen like the one below. Enter the code from your app to complete the login process.

Now that your Amazon account is secure, let’s look at the privacy settings for Alexa on the Echo devices. As part of the setup process, you need to install the Amazon Alexa app from your device’s app store. Open the app and tap the menu at the top of the screen, then choose Settings. Toward the bottom is “Alexa Privacy.”


You might want to review a couple of things here, depending on how long you have used the Echo devices and whether you have attached any Skills to them. But the most important option is “Manage Your Alexa Data.”

Here you can choose how Amazon uses your audio recordings and how long they keep them before deletion. Currently, the lowest setting you can pick is three months’ retention of your audio recordings. Turning off the option “Use Voice Recordings to Improve Amazon Services and to Develop New Features” was recommended by several security researchers after recent privacy concerns surrounding what employees from third-party companies would actually review and transcribe what you said to your assistant. The option below it is similar, but related to the messages you send and receive using Alexa.

Back on the Alexa Privacy screen, going to “Manage Skill Permissions” will show you if any skills (analogous to apps on smartphones) have access to your personal information such as name, address, phone number, email address, payment and location information, and lists you make using Alexa. Do a spot check of those permissions if you have installed any skills to increase the scope of Alexa’s abilities – or its ability to collect your information.

Amazon, Kindle, Echo, Alexa, Dash, Fire and all related logos are trademarks of Amazon, Inc., or its affiliates.

Recommended Posts