The streaming service is making account owners enter two-factor codes in a limited test. That’s … actually not so bad.
Look, let’s be honest. Sharing passwords is as endemic to the Netflix experience as having your favorite show canceled two seasons in. So when the streaming service starts testing ways to curtail that practice, it understandably riles up the many, many people who have come to expect communal accounts as a matter of course. And yes, it is always annoying when a gravy train goes off the rails. But even if it’s not Netflix’s top priority here, you’re much better off keeping your password to yourself.
The limited test that Netflix introduced this week is basically a form of two-factor authentication, the kind you hopefully already have on most of your online accounts. Some users have begun to see the following prompt when settling in for a binge: “If you don’t live with the owner of this account, you need your own account to keep watching.” Below that, there’s an option to get a code emailed or texted to the account owner, which you can enter to continue watching.
A source familiar with Netflix’s trial says that the company is still in the very early stages, and sees the effort as a way both to verify who’s using what accounts and to minimize the security issues inherent in unauthorized sharing.
Yes, security issues. And while Netflix’s flirtation with a password-sharing crackdown is by no means altruistic—not that anyone has read the terms of service, but it does specify that your account “may not be shared with individuals beyond your household”—it’s also true that sharing user names and passwords with even your closest relations can have woesome consequences.
“There seems to be a misunderstanding that sharing passwords with known individuals is not dangerous,” says Jake Moore, a cybersecurity specialist at security firm ESET. “The truth is that we shouldn’t be sharing passwords, and adding multi-factor authentication will help this process remain better protected.”
OK, but why? What’s the actual harm if I pass along my password to a cousin or not-so-casual acquaintance? It can come in a few forms. The most basic is also the most innocuous: While you might share your log-in with just one friend, you can’t control how many people they then share it with, and how many people those people share it with, and on and on, like an old Faberge commercial. When WIRED senior writer Lily Hay Newman audited the Hulu account she herself was mooching off of a few years ago, she found more than 90 authorized devices.
Admittedly, freeloaders primarily threaten the cohesiveness of your recommendations lists. It’s not the end of the world. They could also, though, steal whatever personal data your profile holds.
The much bigger issue is that the wider the password circle gets, the more risk you personally take on that your password will become compromised. And given how often people reuse passwords across multiple sites and services, that means your exposure could extend far beyond Netflix.
“Because I shared my password with you, and you got hacked, that criminal now has my password,” says Steve Ragan, a researcher at internet infrastructure company Akamai. “And if I’ve used that password anywhere else on the internet, the criminal’s going to find it, and they’re going to have access to that, too. It spreads. It’s a compounding issue.”
The practice of throwing a bunch of purloined user names and passwords at various services to see what sticks is known as credential stuffing, and it’s hit the media industry particularly hard in recent years. Between January 2018 and December 2019, credential stuffing attacks targeting video services doubled, according to Akamai research. The media industry as a whole saw 18 billion attempts over that same stretch. When Disney+ launched, thousands of accounts immediately popped up on dark web markets as hackers sniffed out the password-reusers. “Short term, what this is going to stop is the bulk sale of credentials of this type,” says Ragan.
Requiring that you enter a code to access your Netflix account also doesn’t stop you from sharing your credentials. It adds a layer of annoyance for both you and your beneficiary, but it also ensures that total strangers aren’t breaking in, and keeps credential stuffing at bay. “It would help prevent those attacks,” says Lorrie Cranor, director of the CyLab Security and Privacy Institute at Carnegie Mellon University.
And yes, it would also potentially help Netflix’s bottom line at a time when the streaming giant faces more competition than ever, as not only Disney+ but HBO Max, Peacock, and beyond compete for your monthly eyeball candy budget. About 46 percent of streaming video on demand customers share the log-in of at least one service they subscribe to, according to an October study from research firm Magid. And more than half of those people do so with the assumption that the person they’re sharing with will use the service repeatedly, versus a one-off viewing. The more of those people who actually pay for what they watch, the better Netflix’s financial position becomes. In that view, security is an ancillary benefit.
The source familiar with Netflix’s trial says that while the company has more or less freely allowed account sharing in the past—CEO Reed Hastings described it as “a positive thing” at CES in 2016—the situation has gone beyond that initial intent; the experiment helps explore one way to curb it that also keeps users that much more safe.
Again, it’s unclear whether Netflix will expand this test, or explore other ways to clamp down on password sharing. At least, though, a system that introduces two-factor lets you continue sharing, as long as you don’t mind passing along the occasional code. It’s a little inconvenience for a lot more peace of mind.