This month, Netflix stumbled backward into a policy that may have lasting security benefits for users. Its accidental pro-customer safety move could be an object lesson for other business-to-consumer (B2C) organizations looking to improve customer account security.
The streaming giant brought its new "household" policy to US customers on May 23. From now on, accounts will be restricted to a single Wi-Fi network and related mobile devices (with certain exceptions). It's a shot in the arm to cure a post-COVID hangover, boosting user growth after months of stagnation and investor skittishness.
By happenstance, the policy may also improve streamers' account security, by eliminating the common practice of password sharing.
"Sharing a password undermines control over who has access to an account, potentially leading to unauthorized use and account compromise," explains Craig Jones, vice president of security operations at Ontinue. "Once shared, a password can be further distributed or changed, locking out the original user. Worse yet, if the shared password is used across multiple accounts, a malicious actor could gain access to all of them. The practice of sharing passwords can also make users more susceptible to phishing and social engineering attacks."
With its new policy, Netflix is showing how companies can, intentionally or not, nudge or outright force their users to adopt better login practices.
But positively influencing customer behavior isn't always as simple as it seems.
The Gold Biometric Standard, Not Available to Cloud Services
One corner of the tech industry has long since figured out how to help users log in securely, without compromising on their experience: the mobile phone arena.
For years, smartphone users were choosing rudimentary passcodes out of sheer laziness or forgetfulness. That started to change in 2013 when, taking a page from the Pantech GI100, Apple introduced TouchID for the iPhone 5S. Facial recognition technology wasn't quite ready at that point yet, but FaceID, too, would soon make it even easier for users to log in securely, without slowing anything down.
Ideal as biometric login is, says John Gilmore, head of research at DeleteMe, most companies don't have such a ready fix available to them.
"'Face unlock' on iPhones is an example of how this can be done in practice, but it is contingent on a specific device. For services which rely on users being able to access a service on multiple platforms, it is not yet feasible," he says.
The core problem is that, when it comes to services, secure authentication often comes at a cost to usability.
"Online services tend to resist implementing stronger security protocols because they see that it complicates the user experience. If you create a multistep barrier to entry, such as two-factor authentication (2FA), it is less likely people will actually engage with your platform," Gilmore says.
Does this tradeoff necessarily condemn service providers to either clunkiness or insecurity? Not necessarily, experts say.
How to Do Account Security Without the UX Cost
In recent years, service providers have been experimenting with new ways to guide their users to the light.
"Adding user-friendly security features, such as password strength meters, and password change reminders, can further promote safe practices," Ontinue's Jones says.
And companies can do more with their login pages. Like the warnings on cigarette packages, "direct interaction points, like login or account setup, offer opportunities to provide security tips and reminders," he adds.
Lastly, Jones says, "incentivizing secure behavior with benefits such as discounts or additional features can be an effective way to promote secure practices."
How to Incentivize Better Account Security Practices
Incentivization can work with a carrot or a stick.
One company that has succeeded in the former is Epic Games, the developer behind the online game Fortnite. Following a string of security incidents affecting thousands of the game's (often quite young) players, Epic created new in-game rewards for players who set up two-factor authentication (2FA) on their accounts.
Never before have so many kids "boogied down" over proper cyber hygiene!
Boogie Down emote, free with 2FA. Source: Epic Games
And for a case study in the stick, consider Twitter. On Feb. 15, Twitter announced that it would limit SMS-based 2FA only to paid subscribers.
As Darren Guccione, CEO and co-founder at Keeper Security explains: "The decision was met with mixed emotions in the cybersecurity community, as it appeared to discourage the use of a critical second layer of security. However, Twitter’s new default for standard accounts was changed to authenticator app or security key, which are both stronger and more secure options than SMS 2FA."
What's clear across all of these examples is that companies have great power to sway how their users engage with their own security.
Ultimately, Guccione concludes, "the ethical obligation falls on the leaders of these companies to encourage and usher in changes that will protect their customers in the long run."