Why subscription-based platforms should go passwordless

By adopting biometric identification systems, subscription model businesses such as content platforms like Netflix, or intermediation platforms like Airbnb, can truly ensure users are who they say they are avoiding identity fraud or password sharing.

After confirming earlier this year a significant drop in subscriber numbers, Netflix is now rolling out new methods to retain subscribers and win back revenue. The formula that is now being tried out in five Latin American countries is to charge users an extra fee for using an account for more than two weeks outside their primary residence.

In April, Netflix announced a loss of 200,000 subscribers in the first quarter of 2022. In July in its second-quarter earnings report the company said it dropped nearly an additional 1 million subscribers.

In a letter to stakeholders following the 1Q earnings report, the subscription-based streaming service said the steep drop in subscriptions was a consequence of users sharing their passwords with friends and family. The company also acknowledged that it has some 100 million users that do not pay a subscription. Hence the idea of charging an extra fee for password sharing.

However, Netflix’s move to recover revenue and crack on password sharing is a meager attempt to tackle a much bigger issue: the imminent collapse of the password model.

Many people feel uncomfortable with sharing so much personal information. Or feel that the identity authentication process takes too long (up to 24 hours) and is too complicated.
Many people feel uncomfortable with sharing so much personal information. Or feel that the identity authentication process takes too long (up to 24 hours) and is too complicated.

FROM PASSWORDS TO MFA

As online services have become standard, from learning to banking, including entertainment, travel booking, health, shopping, and so on, users have become flooded by passwords. That has led to people creating simple passwords and reusing them over and over.

According to the Psychology of Passwords Report 2021 by Lastpass.com, although 92% acknowledge that reusing a password or using a similar one is a risk, 65% of people reuse their password on multiple accounts; 51% rely on memory to remember passwords.

In conclusion, the report states that 68% of respondents reuse their passwords because they are afraid of forgetting them.

Also, a recent survey conducted by The Zebra revealed that 79% of users in the United States share their password information with friends and family.

Password identification is a form of knowledge-based authentication. Thus, to prove their identity, users need to share a secret (the password) with their service provider.

In the last years passwords have been being substituted by Multifactor Authentication (MFA), a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user’s identity for a login or other transaction.

These credentials usually are what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.

MFA works by combining two or more of these to authenticate the user’s identity. In other words, it adds security layers to passwords.

Airbnb, for example, uses a 2-step identification process. Whether you’re a host or a guest, you must provide sensitive information, such as photos of your ID or driver’s license, address, signature, and so on. Then, the platform stores your information in an encrypted form, secured by third-party databases.

Many people feel uncomfortable with sharing so much personal information. Or feel that the identity authentication process takes too long (up to 24 hours) and is too complicated.

In any case, after analyzing more than 127,000 Airbnb complaints, travel blogger and researcher Asher Fergusson, found that 20.7% of the of the complaints belonged to customers whose accounts had been hacked.

MFA is indeed an improvement compared to only using passwords, but it has its own security issues. To name some, tokens sent by email can be intercepted by third parties and SMS-based MFA is susceptible to SIM swapping.

Also, MFA adds friction to operations, it is time-consuming for users and can be costly and difficult to implement for businesses.

BIOMETRICS TO THE RESCUE

Users agree that passwords and MFA are tiresome, and according to a Thirdpartytrust.com survey 36% of users if given the option, would prefer facial recognition over typing a password. Adding to that, a survey from Enterprise Strategy Group (ESG), a division of TechTarget, reveals that 54% of total respondents have started to transition to passwordless authentication.

Biometrics is based on the measurement and analysis of individual physical characteristics unique to each person. It impedes that data can be copied or hacked. With biometric authentication, all a person needs is him/herself. It requires no shared secrets (passwords) and no tokens.

Nowadays, personal smartphones equipped with biometrics capabilities are the standard, serving as the storing hardware of the individual’s biometric patterns.

For users, biometric authentication is seamless, speedy, easy to use and most importantly, they are the only ones in control of their identification data stored in their smartphones.

For businesses it is an easy-to-implement and cost-effective way to truly identify users, preventing fraud and protecting their privacy while enabling zero-trust environments.

B-FY identification as a service (IDaaS), based on open ID, uses the biometric recognition capabilities provided by mobile devices to reliably identify people by implementing an identification protocol that offers maximum guarantees of protection and privacy of user data. Find out how B-FY stops identity fraud and request a free demo.

Financial services, healthcare, and higher education industries are already turning to biometric security solutions to safeguard their users’ data.

Subscription-based business models that rely on customers’ authentication to provide their services and protect their reputation and income, should value these industries’ experience to tackle password sharing, identity fraud, and cyberattacks.