Streaming Services Face an Identity Crisis

Lets face it, many users have more than one device and want to be able to access their services from anywhere at any time. According to Statista, the average household in the United States has 7.4 devices that can access streaming media content – and that figure does not include gaming consoles. Users expect to be able to access the services they’re paying for from these devices.

There are edge cases that make device sharing more complex: While users shouldn’t share account credentials with their friends, neighbors, or a kind stranger, we do want them to be able to access content on devices in hotels.

If you are the one providing the service, how can you tell the difference between legitimate sharing situations and nefarious ones? This is a big question, as it can cost companies a lot of money if not addressed.

In a world of account sharing, there is also the notion that someone owns that account; this person is also known as the primary account holder. Let’s use the example of a streaming video service. The primary account holder may be a parent in the house, yet there is another parent and two children, both under 18. The primary account holder sets up profiles for each of the children, and all 7.4 devices within the household are authenticated. Now, a distant cousin comes to town and wants to use the account. The primary account holder gives them the account information, and then the cousin returns home and continues to use it. How can we prevent this type of account sharing from happening? Let’s review two options to solve this:

Adaptive MFA policies allow you to deliver a better experience by streamlining and enabling easier access for users who have safe and predictable patterns of using streaming content. Basically, adaptive MFA solutions analyze the contextual information when a user/profile is trying to access streaming content. If the contextual information leads to a predictable pattern, access is granted seamlessly. On the other hand, if an unpredictable or new pattern is discovered, friction can be introduced in the form of a push notification or biometrics to ascertain from the primary account holder an accept/deny response. On acceptance, the user/profile is able to access content.

If another user, a visiting cousin, is trying to access your streaming service from a new location on a new device, adaptive MFA takes into account contextual information such as geolocation and device profile to determine whether the primary account holder has to authorize the request. Often, many of these variables can be evaluated behind the scenes to gain an extra level of assurance without adding any additional friction to the user experience.

There are several categories of signals that adaptive MFA looks at:

1. Device profile and reputation is exactly what it sounds like: determining the risk of the device being used during the authentication process by looking at factors such as device posture (is it a jailbroken device?), software inventory status (are you up to date?), changes to the device since last login (is it a different browser than you previously used?), and whether the device has been involved in any known fraudulent activity.

 

2. User activity. Stolen or compromised credentials pose huge threats to security and privacy. As a user moves laterally on the network, you can determine threats by building a baseline of user behavior and adding real-time risk if/when the user deviates from this behavior.

 

3. Network risk. Along with the user and the device, a third point of potential vulnerability lies in the network used for access. Is the user accessing a site from an anonymous network? Is it a new device on a network address? And from a security standpoint, does the network address have a history of being used for malicious activity?

 

4. Behavioral biometrics. This innovative approach to risk-based authentication compares a user’s physical movements—typing cadence, keyboard patterns, strength of key pressure, mouse movements, etc.—to their standard profile to determine risk. It works for mobile devices as well, looking at factors such as whether the user holds the device at the same angle, presses the screen with the same pressure, and swipes in the same fashion.

Adaptive MFA is readily available today. In fact, we use it daily here at Ping. Watch this short 90 second demo to see adaptive MFA in action using PingOne Risk.

In the digital world, we’re continuously authenticated to applications on our trusted devices given the need to continuously authenticate to the device itself, often using biometrics. Our devices trust who we are and have a high degree of certainty about our identities. One way to streamline streaming services (pun intended) is to leverage that device trust and transition to other devices.

This is particularly useful when a trusted device that we constantly have with us can share that trust with a new device that we have never interacted with before.

If you have traveled to a newer hotel, VRBO, or AirBNB in the last few years, you’ll likely have used a smart TV with popular streaming apps on it, including Disney+, Netflix, ESPN+, and Hulu. You have to log in with your account credentials (if you can remember them, since you probably haven’t logged in at home for months), often using that clunky arrow pad on the TV remote to do so, just to enjoy the streaming services you pay for monthly. More modern experiences let you leverage your trusted device, such as your phone or tablet, and transfer that trust to the device in your hotel room. This, of course, isn’t limited to TVs and streaming services; it can apply to any public device, new device, or device you use less frequently that requires a sign-in. This technology works by allowing your device to scan a QR code, send a code, or even simply be connected to the same wifi network as the device you’re signing into to instantly and seamlessly transfer the trusted status of your mobile device and the streaming app to the TV in your hotel room.

This convenient experience is a breath of fresh air for user experiences, but it can also cut down on credential sharing if it’s occasionally required on devices outside of your primary residence—especially when combined with the adaptive authentication methods mentioned earlier in this blog.

Account sharing is unlikely to stop, but you can take control over how pervasive it is. Start your free trial of PingOne Risk and implement adaptive MFA today!