Netflix, the popular streaming service, has recently implemented a new policy that could potentially improve account security for its users. This move, which was made to restrict accounts to a single Wi-Fi network and related mobile devices, could have lasting security benefits for the company’s userbase.
By doing so, Netflix may have accidentally stumbled upon a pro-customer safety move that could serve as an object lesson for other business-to-consumer (B2C) organizations looking to improve customer account security. This is especially important given the prevalence of password sharing, which undermines account control and can lead to unauthorized use, account compromise, and other cybersecurity risks.
According to Craig Jones, Vice President of Security Operations at Ontinue, “The practice of sharing passwords can also make users more susceptible to phishing and social engineering attacks.” This is why password sharing is a major issue in many B2C organizations, as it creates unnecessary vulnerabilities that can be exploited by hackers.
With its new policy, Netflix is showing how companies can, intentionally or not, nudge or outright force their users to adopt better login practices. However, positively influencing customer behavior isn’t always as simple as it seems, and often comes at a cost to usability.
The Gold Biometric Standard, Not Available to Cloud Services
One corner of the tech industry has long since figured out how to help users log in securely, without compromising on their experience: the mobile phone arena. For years, smartphone users were choosing rudimentary passcodes out of sheer laziness or forgetfulness.
That started to change in 2013 when, taking a page from the Pantech GI100, Apple introduced TouchID for the iPhone 5S. Facial recognition technology wasn’t quite ready at that point yet, but FaceID, too, would soon make it even easier for users to log in securely, without slowing anything down.
Ideal as biometric login is, says John Gilmore, head of research at DeleteMe, most companies don’t have such a ready fix available to them. “Face unlock’ on iPhones is an example of how this can be done in practice, but it is contingent on a specific device. For services which rely on users being able to access a service on multiple platforms, it is not yet feasible,” he says.
The core problem is that, when it comes to services, secure authentication often comes at a cost to usability. “Online services tend to resist implementing stronger security protocols because they see that it complicates the user experience. If you create a multistep barrier to entry, such as two-factor authentication (2FA), it is less likely people will actually engage with your platform,” Gilmore says.
How to Do Account Security Without the UX Cost
In recent years, service providers have been experimenting with new ways to guide their users to the light. “Adding user-friendly security features, such as password strength meters, and password change reminders, can further promote safe practices,” Ontinue’s Jones says.
And companies can do more with their login pages. Like the warnings on cigarette packages, “direct interaction points, like login or account setup, offer opportunities to provide security tips and reminders,” he adds.
Lastly, Jones says, “incentivizing secure behavior with benefits such as discounts or additional features can be an effective way to promote secure practices.”
How to Incentivize Better Account Security Practices
Incentivization can work with a carrot or a stick. One company that has succeeded in the former is Epic Games, the developer behind the online game Fortnite. Following a string of security incidents affecting thousands of the game’s (often quite young) players, Epic created new in-game rewards for players who set up two-factor authentication (2FA) on their accounts.
And for a case study in the stick, consider Twitter. On Feb. 15, Twitter announced that it would limit SMS-based 2FA only to paid subscribers.
As Darren Guccione, CEO and co-founder at Keeper Security explains: “The decision was met with mixed emotions in the cybersecurity community, as it appeared to discourage the use of a critical second layer of security. However, Twitter’s new default for standard accounts was changed to authenticator app or security key, which are both stronger and more secure options than SMS 2FA.”
What’s clear across all of these examples is that companies have great power to sway how their users engage with their own security. Ultimately, it’s the leaders of these companies who have the ethical obligation to encourage and usher in changes that will protect their customers in the long run.