It was long overdue, but Netflix has finally started to explore ways to address its password problem. By prompting viewers to prove that they live with the holder of that account by receiving a code, sent via text or email, they are hoping to weed out password freeloaders who, let’s face it, are probably costing Netflix millions of dollars each year.
The issue of password sharing, which isn’t just a Netflix problem, is almost universally down to the classic username and password approach to customer authentication. In addition to passwords being hard to remember and offering a poor user experience, they simply aren’t a secure way of verifying that a customer “is who they say they are”.
This implementation of two-factor authentication (“2FA”) is just one of the many ways to address this problem, but it has understandably left many users worried, such as families that live in separate households that share one account. However, I firmly believe that it is a step in the right direction, not just for other subscription businesses to follow suit, but good for the digital security of users as a whole.
What’s special about 2FA?
The fact that 2FA has been chosen by Netflix as the option to clamp down on password sharing isn’t really a surprise – the logical response from businesses when tightening up on security has been to layer additional “factors” on top of the password. After all, by asking people to validate their identity based on “something they have”, such as entering a one-time passcode sent to their mobile phone or email, it is possible to make the job of hackers much harder.
In the context of Netflix, the effect of this is that, if you are a long way down the chain of a shared username and password and you don’t necessarily know the account holder, you won’t be able to use its services and you’ll be locked out of the account.
On paper, it is definitely an improvement of the previous model and will almost certainly lead to the reigning in of increasingly uncontrollable chains of password sharing.
Why users ought to be pleased
I can sympathise with the hostile reaction to the news. At a first glance, it only adds a layer of frustration for the legitimate user and those that they are happy sharing their credentials with. Yet, there needs to be a balance and there seems to be a misconception that password sharing, even with people you know well, is not risky. This couldn’t be further from the truth.
For example, while you might have shared your Netflix password with a friend in confidence, this doesn’t mean that they can’t share this with other people too. And those people could possibly share with others, and so on. You simply can’t control how many people they then share it with, and how many people those people share it with. Before you know it, there could be a chain of more than 10 people that know your password without you knowing.
But it doesn’t stop there. If your password does get shared, even if you do it in confidence, users often forget or ignore the fact they have zero control over the devices of the users they share their password with and their security posture, let alone if that password gets shared again more broadly. For example, what if they click on a phishing link or open a malware attachment and give cybercriminals access to their devices and stored information? Just one weak link in a password sharing chain can comprise your password.
Going a step further, if a cybercriminal does get hold of your password, credential stuffing allows them to use one password and test it against hundreds of other sites. So, if they have your password – the password that is probably the same across most of your accounts and devices – hackers can potentially get into your other accounts and devices too. Your exposure could quickly and quite easily extend far beyond Netflix.
Ultimately, 2FA and clamping down on password sharing is a small inconvenience and an extra few pounds each month, for a lot more peace of mind for users when it comes to their digital security.
A step closer to biometrics?
A question that will linger though is whether 2FA goes far enough. Although more secure than the veteran username and password model, 2FA still has obvious security flaws. The weakness with all device-based approaches is that you are not authenticating a specific person, rather you are allowing whoever has access to a device to authorize the event. For example, if someone gets my PIN and “unlocks” the authorization, they could circumvent an authenticator app on my phone with a PIN. The reality is that it can’t stop credential sharing entirely.
While not on the immediate horizon, if Netflix and other subscription businesses were to truly wipe out password sharing and secure users’ digital identity, they would most likely opt for a multi-factor authentication (MFA) approach based on biometrics. In other words, rather than asking users to remember a password, biometric identifiers such as a voice and face print can be stored so the user can be authenticated on any device they’re logging in from. Crucially, credentials can’t be lost, stolen or shared when they are your own face and voice patterns – the legitimate user must actually be present to log in.
In the context of Netflix, this could work by ensuring all members of a household are registered so they can log in by presenting their face or voice in under 30 seconds. Importantly, people outside the household cannot “borrow” a biometric ID, meaning illicit account sharing would be all but eradicated.
Yet, there are understandable concerns here despite it being the most obvious way to stamp out freeloaders entirely. Most notably, the prospect of a single, global and commercially driven entity like Netflix having access to its customers’ biometric data is of particular concern.
Whether other subscription services will follow in the footsteps of Netflix isn’t too relevant, but it’s clear that there does need to be a simple, secure and privacy preserving solution to the password sharing pandemic.
Contributed by Andersen Cheng, CEO and founder, Nomidio
The post Netflix password crackdown: why users should be arguing for stronger measures appeared first on IT Security Guru.