As you log in to watch your favorite, binge-worthy Netflix drama, you may have realized that you are now being prompted to prove that you live with the holder of that account by receiving a code, sent via text or email.
This implementation of two-factor authentication (“2FA”) has understandably rubbed some people up the wrong way. However, I firmly believe that it is a step in the right direction, not just for other subscription businesses to follow suit, but good for the digital security of users as a whole.
Addressing the elephant in the room (finally)
Netflix most recently reported nearly 204 million subscribers worldwide. How many Netflix accounts share passwords beyond the household of the person who pays for them is impossible to know beyond, probably, Netflix’s data-science department. But some studies over the years have suggested that password freeloaders are likely to be in the millions.
This isn’t just a problem with Netflix. From games to online video and newspapers, media owners and distributors face a constant battle against credential sharing through friends and family.
The issue of password sharing (and consequently revenue leakage for companies) is almost universally down to the classic username and password approach to customer authentication. In addition to passwords being hard to remember and offering a poor user experience, they simply aren’t a secure way of verifying that a customer “is who they say they are”.
The fact that 2FA has been chosen by Netflix as the option to clamp down on password sharing isn’t really a surprise – the logical response from businesses when tightening up on security has been to layer additional “factors” on top of the password. After all, by asking people to validate their identity based on “something they have”, such as entering a one-time passcode sent to their mobile phone or email, it is possible to make the job of hackers much harder.
In the context of Netflix, the effect of this is that, if you are a long way down the chain of a shared username and password and you don’t necessarily know the account holder, you won’t be able to use its services and you’ll be locked out of the account. On paper, it is definitely an improvement of the previous model and will almost certainly lead to the reigning in of increasingly uncontrollable chains of password sharing.
Strengthening our digital security
I can sympathise with the hostile reaction to the news. At a first glance, it only adds a layer of frustration for the legitimate user and those that they are happy sharing their credentials with. Yet, there needs to be a balance and there seems to be a misconception that password sharing, even with people you know well, is not risky. This couldn’t be further from the truth.
For example, while you might have shared your Netflix password with a friend in confidence, this doesn’t mean that they can’t share this with other people too. And those people could possibly share with others, and so on. You simply can’t control how many people they then share it with, and how many people those people share it with. Before you know it, there could be a chain of more than 10 people that know your password without you knowing.
But it doesn’t stop there. If your password does get shared, even if you do it in confidence, users often forget or ignore the fact they have zero control over the devices of the users they share their password with and their security posture, let alone if that password gets shared again more broadly. For example, what if they click on a phishing link or open a malware attachment and give cybercriminals access to their devices and stored information? Just one weak link in a password sharing chain can comprise your password.
Going a step further, if a cybercriminal does get hold of your password, credential stuffing allows them to use one password and test it against hundreds of other sites. So, if they have your password – the password that is probably the same across most of your accounts and devices – hackers can potentially get into your other accounts and devices too. Your exposure could quickly and quite easily extend far beyond Netflix.
Ultimately, 2FA and clamping down on password sharing is a small inconvenience and an extra few pounds each month, for a lot more peace of mind for users when it comes to their digital security.
Why not biometrics?
A question that will linger though is whether 2FA goes far enough. Although more secure than the veteran username and password model, 2FA still has obvious security flaws. The weakness with all device-based approaches is that you are not authenticating a specific person, rather you are allowing whoever has access to a device to authorize the event. For example, if someone gets my PIN and “unlocks” the authorization, they could circumvent an authenticator app on my phone with a PIN, or they could simply ask for the account owner to send the code if they know them well enough. The reality is that it can’t stop credential sharing entirely.
While not on the immediate horizon, if Netflix and other subscription businesses were to truly wipe out password sharing and secure users’ digital identity, they would most likely opt for a multi-factor authentication (MFA) approach based on biometrics. In other words, rather than asking users to remember a password, biometric identifiers such as a voice and face print can be stored so the user can be authenticated on any device they’re logging in from. Crucially, credentials can’t be lost, stolen or shared when they are your own face and voice patterns – the legitimate user must actually be present to log in.
In the context of Netflix, this could work by ensuring all members of a household are registered so they can log in by presenting their face or voice in under 30 seconds. Importantly, people outside the household cannot “borrow” a biometric ID, meaning illicit account sharing would be all but eradicated.
While this would almost certainly be a way to truly stamp out password freeloaders, it is unlikely to happen overnight and there are understandable concerns here. Most notably, the prospect of a single, global and commercially driven entity like Netflix having access to its customers’ biometric data.