Netflix made headlines recently following its intention to crack down on password sharing. The company estimates that while it has 222m paying households worldwide, it also has another 100m households that are sharing access to Netflix.
Is Netflix right to crack down on its users for sharing passwords? That’s a strategic decision for them to make. But what’s certain is that Netflix won’t be alone in facing what is a global challenge: the inadequacy of passwords.
In this piece, we’ll look at…
- Why password sharing is an issue.
- The other limitations of passwords.
- How password challenges extend to other industries and how you can fix it with facial biometric authentication technology.
Passwords: the shareable credential
One of the most significant issues with passwords is that people can share them – they can easily write them down, share them verbally, or save them on shared devices. Because passwords can be shared, they are not reliable in confirming a user’s identity.
Password sharing poses problems for organizations and consumers alike:
- For organizations: for streaming services such as Netflix, password sharing will directly affect revenue and other key business metrics. How can you tell the difference between someone who is a part of a genuine paid account and someone who hasn’t paid anything but is using the password of someone that has? Limiting access to paid-only users is a strategic choice for Netflix, but in other sectors it’s hugely important to limit who accesses sensitive information and data. For governments, password sharing could be a matter of national security. If a password can be compromised, then any system that relies on passwords can be compromised.
- For consumers: while sharing a password with a family member or friend may not seem like a big deal for streaming services, we know that people reuse passwords across their accounts. So from a cybersecurity perspective, this means that each time you share a password, you’re taking on more risk of that password being compromised. By reusing passwords, your risk could go beyond Netflix – extending to your bank accounts, social media, or other online services.
Passwords are knowledge-based authentication or something you know. Like secret questions about your first pet or mother’s maiden name, these security methods rely on knowledge that can easily be stolen, shared, or guessed.
This is why multi-factor authentication has become so prevalent. If knowledge-based security is not secure, then you need to combine other factors to increase the security:
- Possession-based authentication or something you have: for example, your bank might send a one-time SMS passcode to your mobile device. The logic here is that your device is your possession and therefore it is unlikely that a fraudster would have access to both your password and your mobile device. It might be unlikely, but it’s not hard to do – a possession can be shared or stolen just as a password can.
- Inherence-based authentication or something you are: biometrics offer a much more secure option for online authentication. You can’t share a physical face. You can share a copy of it using a photograph, but Genuine Presence Assurance® liveness technology will detect if it’s a real human or if it’s a copy.
Other problems with passwords (and why they’re no longer fit for purpose)
For Netflix, the primary issue with passwords is how easy it is to share them. But there are a number of other ways passwords can prove disastrous:
- Passwords can be stolen: a shocking 80% of hacking-related breaches still involve compromised and weak credentials — i.e. stolen passwords. This is largely because people share, write down, and reuse their passwords. A whopping 60% of consumers have had to change a password after a data breach.
- Passwords aren’t user-friendly and can be forgotten: users are often frustrated when they go to log in and realize they’ve forgotten the password set up for that account. A staggering 32% of global consumers have had to request a password reminder in the last 24 hours.
- Passwords have a high operational cost for organizations: Forrester Research identified several large US-based organizations in different verticals that allocate over $1 million annually just for password-related support costs.
You can read more statistics on the disadvantages of passwords here
The global reliance on passwords is particularly worrying when you think about the severity of what can go wrong. The Colonial Pipeline Exploit was one recent example of the disastrous consequences of password-based security. The hack shut down the largest fuel pipeline in the US, and happened because just one employee’s compromised password was leaked on the dark web. This password then granted the attacker remote access to the company’s entire computer network, costing $4.4 million in ransom – a scenario that could’ve been avoided with stronger authentication.
Passwords also have a fundamental design flaw: the more secure you make them, the harder they are to remember!
The solution: how do you stop password sharing?
We’ve established that the problem Netflix is facing is down to the inherent flaws of passwords. If the company decides to limit account sharing, they will need a new and improved authentication method. This authentication method should enhance the user experience rather than creating a roadblock. Introducing the wrong authentication method could increase friction and make users frustrated.
The right solution must, at a minimum, consider:
- Security: passwords, SMS one-time passcodes (OTP), and other tactics are vulnerable to attack. Organizations need to think about future-proofing their operations and protecting customers with stronger methods.
- Completion rates: every step in a customer journey creates friction. Asking customers to complete an extra security check can cause drop-offs or canceled subscriptions if it isn’t convenient and effortless for them.
- Inclusivity: asking your customers to follow instructions or use multiple devices for authentication can result in some users not being able to use your services.
The modern solution to passwords is online biometric face authentication. Biometric authentication helps organizations ensure that only legitimate users access their accounts online. If systems are protected using iProov’s face authentication technology then only the genuine owner of each account – authenticated in real-time – can gain access. Plus, it’s incredibly easy and convenient for users to use.
How can biometrics stop password sharing?
Biometric face authentication from iProov ensures that each online user is the right person, a real person, and that they are authenticating right now.
iProov offers two technologies that can be used:
- Liveness Assurance verifies that a user is the right person and a real person (not a photograph or video shown to a camera).
- Genuine Presence Assurance verifies that a user is the right person, a real person and that they are authenticating right now. The latter provides extra security against injection attacks using synthetic media such as deepfakes.
iProov’s passive biometric authentication is designed to be simple, fast, and convenient. A user simply looks at their device and the authentication is complete. There are no complex instructions to follow and no movement required, meaning that the user’s verification and authentication experience is effortless.
iProov biometric authentication is..
- Secure: trusted by the world’s most security-conscious organizations, such as the Department of Homeland Security.
- Effortless and convenient: all users need to do is look at their device’s front-facing camera, which delivers optimal user experience.
- Inclusive: easy authentication irrespective of cognitive ability, age or ethnicity.
- Accessible and usable: the right authentication method needs to be usable by the largest proportion of the population.
Which means that…
- For customers: the user experience is prioritized, minimizing user frustration and abandoned transactions.
- For streaming services: biometric authentication can be utilized to limit account sharing without alienating users with cumbersome, ‘roadblock’ authentication.
- For other industries: biometric authentication solves common problems with passwords: shareability, inconvenience, lack of security, and poor user experience.
How can liveness stop password sharing?
Liveness prevents password sharing because it uses biometric authentication to verify that an online user is the right person and a real person. Without liveness technology, authentication can be spoofed by masks, photographs, and other threat types. With liveness detection, no-one can use a picture of your face to access your account, because that picture would not pass a liveness assessment. However, not all liveness is equal – which is why iProov’s passive technology is key to success for preventing password sharing.
Netflix, password sharing, and biometrics: a summary
- The impending Netflix password crackdown is indicative of a wider issue: the shareability and inadequacy of passwords.
- Netflix’s decision will directly affect its revenues and growth. In other industries, password vulnerability is a matter of national security.
- Netflix will need to carefully consider an authentication strategy that will balance additional security with maximum usability, simplicity and convenience to minimize friction and customer frustration.
- Biometric authentication is the perfect solution and can either replace or be used in combination with passwords to provide the security, user experience, and inclusivity needed.
- Liveness detection will be an important part of the biometric option to prevent spoofing using images and video.
If you’d like to learn more about how iProov can be used to replace passwords and enhance authentication security at your organization with biometrics, book your demo today.