By Nelson Santini, BSI
Depending on where you live, Netflix has either changed, or is about to change the password sharing rules of your service plan. In summary, Netflix “just said NO” to sharing accounts, unless you live in the same household, which is loosely defined as sharing the same local area network (LAN) IP address block.
This action has nothing to do with safety, censorship, digital rights management, but rather has everything to do with money; billions of dollars in subscription and advertising revenue lost to shared login credentials.
That said, stock up on your favorite beverage and snacks, because the YouTube videos on how to circumvent the new “no sharing” rules are soon to explode like spring pollen in Georgia. It will be epic.
And the truth is that Netflix is not alone, and other providers will soon follow suit.
Hulu, Disney, Paramount, Peacock, ESPN….
Adobe, Lucidchart, Asana, Canva…
If it is a subscription as a service (SaaS), it is likely to be suffering the same loss of revenue. Why is this?
Because most online service providers rely on multi-factor authentication (MFA) password credentials to protect their services, and even the most complex MFA credentials can be easily shared (and I’m going to leave ‘stolen’ and ‘replicated’ for another blog).
Let’s take a quick peek at each of the three MFA factors:
1. Something I know:
I can share my password or “one time code” with my friends.
2. Something I have:
I can make my computer appear in the same VPN, or give my friends my Yubi/Fob.
3. Something I am:
This one works, but it can be tricky to implement.
When it comes to “something I am”, we are talking biometrics, and it gets a bit more difficult to implement by providers, and defeat by subscribers. If you want to start handling personal identifiable information (PII) and physical biometrics to protect your subscriptions, take acetaminophen and go right ahead. If you want to avoid PII hassles, and protect your SaaS offerings, behavioral biometrics may then be what you need to plug the billion-dollar hole in the MFA dam.
Behavioral biometric MFA credentials usually require little to no user training, no expensive sensors or equipment to deploy, and carry no PII which makes them easier to handle. This is a trifecta difficult to beat, especially and more importantly because – they can’t be shared.
Beyond “something I am”, behavioral biometrics focus on the way an individual “can do” something. That can be as simple as the way a person draws their credentials on their smartphone screen or laptop computer trackpad using their finger, or their mouse. The way a user writes or draws their password is so unique, that in some instances, the odds are in more than 192 billion against one for any human or machine to use a “shared” password.
Password credential sharing can make some feel like Robin Hood, and it is costing SaaS corporations billions of dollars each year. Being that the root cause is “sharing” – it only follows that password credentials that “can’t be shared”, like behavioral biometrics, should be a key element of these entities’ revenue protection plans.
Unless of course the current remedy is part of a greater humorous plan. I personally can’t wait to see the monthly “block” or “house parties” in college campuses and condominium or apartment buildings. Comical as it may sound, they will happen, and I wish good luck to both sides.
In the meantime, let it be said then that behavioral biometric MFA passwords can save billion of dollars in subscription losses today.