Facing stiff competition from Disney+, Hulu and HBO Max, the company is looking at ways to keep your account limited to your home only.
Netflix caused a minor uproar this week when a small number of users reported seeing a new message that said “If you don’t live with the owner of this account, you need your own account to keep watching.” Users are then presented with different options, ranging from verifying their account through e-mail or text as well as simply creating a new account.
SEE: Identity theft protection policy (TechRepublic Premium)
Screenshots of the pop-up were initially shared by The Streamable but a Netflix spokesperson confirmed to TechRepublic that it was indeed the first test in the company’s efforts to stop people from sharing their passwords.
In a statement, a Netflix spokesperson said, “This test is designed to help ensure that people using Netflix accounts are authorized to do so.”
Password sharing among Netflix’s more than 200 million subscribers is wildly popular and extremely common. One survey from ESET found that 60% of respondents admitted to sharing their password with someone outside of their household, and one in every three said they shared it with more than one other person.
A number of analysts said Netflix was feeling the pressure from other streaming services that are cutting into their dominance of the market, like Disney+, Hulu, HBO Max and Amazon Prime Video.
“Taking a multi-screen approach to services has allowed Netflix and other streaming services to rapidly expand their user base. The downside is that this convenience has allowed account holders to share access with anyone, within a household or with anyone across the country. Rolling out multi-factor authentication to verify users will reduce the average number of people accessing an account,” said Chris Hazelton, director of security solutions at Lookout.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
“All those one-time users, forgotten and remembered exes, as well as anyone else that has fallen out of favor with primary account holders will quickly lose access. However, ‘approved’ users will find work-arounds, especially if the authentication process is run through text messaging—as account holders can easily share the authentication code quickly with friends.”
Hazelton added that streaming services could require multiple levels of authentication, including the use of certificates installed on a limited number of mobile devices and compared it to other software as a service platforms where accounts have a set number of “seats.”
Setu Kulkarni, vice president of strategy at WhiteHat Security, said Netflix had already put steps in place to make it difficult for families to share accounts, noting that even though people can create their own accounts within a master account, they still need the master account’s credentials to log in.
“It seems unreasonable to expect the master account holder to login, and keep logged in to various family member devices, especially as family members are increasingly mobile. The better solution here may be to emulate how Apple does family sharing. Every family member does create their own login, however, they get associated with the master account owner,” Kulkarni explained.
Kulkarni also suggested that a balanced solution to Netflix’s concerns about passwords being shared with those outside of a family or household could be addressed by limiting the number of registered devices where a particular login can be used or limiting the number of concurrent sessions.
Other experts said that while this new test does seem targeted at those sharing passwords widely, there are other reasons Netflix may want to limit the practice.
Cerberus Sentinel’s vice president of solutions architecture, Chris Clements, said the move seemed less about preventing account sharing with friends and family so much as it is targeting accounts that may have been stolen and resold on the black market.
“Prompting a suspicious viewer for a verification code sent to the account owner would be a text message away for friends or family but would stop anyone unknown to the account owner from leaching off their subscription,” Clements noted.
“I feel like the rise of seemingly dozens of walled-garden streaming services has signaled the exit of the ‘golden era’ of streaming where one or two subscriptions gave consumers access to almost all content they could want. This pressure naturally leads to a market for trading or reselling accounts between viewers experiencing subscription fatigue and the high aggregate cost of purchasing every service needed to view the content they want.”
Erich Kron, security awareness advocate at KnowBe4, echoed that idea, adding that a two-step account verification process was not much different than what banks do.
But Kron noted that the problem will be difficult to solve because of how many people sign into accounts from hotels or use portable devices to stream movies in places other than their homes. “Even at home, their IP address is likely to change. This makes fraudulent logins difficult to pinpoint,” Kron said.
Netflix has largely allowed password sharing to continue unabated for years, but its terms of service does note that accounts can only be used within one household.
Lamar Bailey, senior director of security research at Tripwire, questioned the true reason for the move and questioned whether Netflix realized the ingenuity of its user base.
“While sharing passwords is generally a bad thing, is there any issue in sharing a streaming password with trusted people? Is Netflix having a problem with account takeover or is this a way to increase paying customers?” Bailey said.
“If the account takeover is a real problem, it would be a more elegant solution to make any account changes (password, email, account level, etc.) to require a multi-factor approval before they are approved. If stopping sharing to increase revenue and users is the real goal, this nag screen will likely make a difference, but it may not be the intended difference. There is always a way around a control if the user is determined enough.”