Revenue losses due to account sharing
Account sharing affects many industries, but the one making the headlines lately is the streaming industry. In January, Netflix said that it had added 8.5 million customers in the fourth quarter, for a total of 203.6 million paying subscribers by the end of 2020. In an attempt to make the streaming service profitable, Netflix is set on stopping account sharing.
The move was rolled out in April 2021, with Netflix prompting users to verify their accounts with a message that reads “If you don’t live with the owner of this account, you need your own account to keep watching.
With reportedly one-third of Netflix accounts being shared, the revenue loss due to account and password sharing is estimated at $2.3 billion each year, according to a survey by Cordcutting.com followed by Hulu with $40 million
What is account sharing?
Account sharing refers to accounts that have a single pair of credentials to authenticate multiple users. The accounts can be on any platform or network, ranging from email accounts to applications, servers, or databases.
Industries most affected by account sharing
The entertainment industry is not the only one affected. Estimates show that Amazon loses $45 million in revenues each year. The real challenge is differentiating between the ones who share their accounts and the ones who pay.
The culture of account sharing
In 2014, HBO CEO acknowledged the password-sharing culture but didn’t see it as a real issue. In reality, the more users get hooked on a certain streaming service, the more they will want to use it — which comes with enormous marketing benefits as well. But even so, once streaming services start seeing plateaued subscriber growth, putting an end to account sharing will be the next step in growing revenue.
Parks Associates found that the most antipiracy efforts in the U.S. focus on detecting and reducing credential sharing and account abuse. Still, account sharing is a cultural norm among teens and young adults. The prevalence of account sharing lies at 80% in this age group while dropping to 29% among the 35-74 year-olds. These numbers indicate that nearly one in every three adults is violating the terms and conditions.
Risks of account sharing
Why are shared accounts bad?
Shared accounts such as email addresses or subscriptions to various services can pose several security risks, especially if the passwords are shared among a company or household and stored in plain text accessible to other users. Attackers can easily access these passwords and therefore gain access to personal information inside the accounts or even credit card data.
Risk of violating the T&Cs – Can I get banned for account sharing?
Yes, violating the terms and conditions of paid subscription services could get any user banned from accessing the service. More and more, companies have started to ask users for identity validation. Spotify urges users to confirm their location to validate living in the same household as the subscription holder. Using a pay-per-seat type of service comes with the responsibility of not sharing your account with strangers, otherwise violating the terms of service can not only get you banned, but it poses security concerns as well as credit card fraud.
Shared subscription services and copyright infringement
Most subscription-based providers are totally against services that allow users to share their subscriptions with others. Revenue being at stake, most have taken the natural next step towards stopping such services from enabling users to share their accounts. In addition, Google Chrome extensions were removed from the Chrome Web Store and banned due to copyright claims.
Security risks of account sharing
Shared accounts come with many flaws, and owners are exposed to multiple risks. A shared Apple Music subscription comes with the ability to invite other users into a Family Sharing group. This means the added “family member” is entitled to use all other Apple subscriptions. Also, any member of a Family Sharing group can access payment methods for App Store purchases.
Shockingly, this also translates to other business accounts, including corporate ones. If an IT team shares access to an email address, one risk associated with it comes from employees leaving the company and still having access to corporate assets, unless proper password hygiene is maintained. Also, password sharing of corporate accounts is to be avoided due to nonrepudiation, which in case of fraud or malicious acts is critical. Companies must be able to prove which user took an action, sometimes necessary to make employees accountable or even pursue legal action.
How to stop account sharing
Focusing on account sharing is sometimes more time-consuming than allocating resources to product development and market share gains. Still, some available tools are in place for companies looking to increase revenue by reducing account sharing. With some exceptions, most account sharing prevention solutions require enhanced dev resources and savvy IT teams.
Prevent account sharing with WebSocket connections
WebSocket is a computer communications protocol that can be used to stop account sharing. It can be implemented by granting access to users using a license and works by pausing a connection anytime a new login is performed or, on the contrary, blocking access while another user is using the subscription service.
This method creates a bad user experience for the well-intended paying customers. It also allows security breaches like man-in-the-middle or sniffing attacks because data transfer over the WebSocket protocol is done in plain text, similar to HTTP.
Session quota constraint enforcement
This method refers to limiting active sessions connecting user access to a computer network. A session quota is determined through a session quota logic of the single sign-on provider, and the number of active sessions is compared with the specified session quota. Session quota constraint enforcement is a popular security measure, especially when dealing with sensitive accounts or cloud access. Still, enforcing such a method to prevent account sharing and forcing users to authenticate several times while using your service can turn into a customer nightmare. Additionally, depending on the application or service users are accessing, logging them out might cause losing unsaved work or access to reports or similar.
Stopping account sharing with and IP address recognition
IP address recognition can be easily bypassed using various tools like VPNs, and Chrome browser users can also access extensions to change their IP addresses every time they go online dynamically. Browsers of all kinds have implemented privacy enhancements, making it harder than ever to block IPs in order to stop account sharing. Also, IP addresses in the same corporate network look the same, sharing the same IP addresses of the router being behind a Network address translation (NAT). The method was used to prevent IP addresses exhaustion in the IPV4 era, and one Internet-routable IP address of a NAT gateway can be used for an entire private network. This makes the technique obsolete in preventing account sharing based on IP address limitation, especially in the same corporate or household network.
How to prevent account sharing with 2FA? Implement TypingDNA Verify 2FA.
A user-friendly solution can be used to prevent account sharing without putting unnecessary pressure on the properly paying customers. TypingDNA Verify 2FA uses typing biometrics to authenticate users with a seamless experience. By typing four words, users can log in instantly without the need for scanning QR codes, additional hardware devices, or inputting OTP codes.
Unlike other measures, implementing 2FA based on typing biometrics brings a range of immediate benefits for both your company and your end-users. However, SaaS businesses looking to reduce account sharing and increase revenue must operate with caution since well-intended users might be offended by account sharing prevention methods. Paying customers typically dislike any measures that show mistrust and are creating a burdensome user experience.
With TypingDNA Verify 2FA, companies implement account sharing prevention beginning with the first step of the user journey, the login. Immediately, the correct user is confirmed with no need for additional measures such as browser fingerprinting or IP address verification. The ease of use and adoption of typing biometrics make this method a seamless verification process for any service in any industry, regardless if it’s a SaaS business or a streaming service. With TypingDNA Verify 2FA, there’s no longer a need to verify a user’s location or send them SMS OTP codes.
Integration takes less than 10 minutes, helping SaaS companies grow their user bases while mitigating security risks such as account takeovers.
The first companies to sign up for TypingDNA Verify 2FA can authenticate up to 100,000 users free for the first year — limited offer until October 31, 2021!