Intro
Savings life hack: get a group of 4 friends, each buy 1 streaming service, then share all the passwords with each other. Get Netflix, Disney+, HBOMax, and Peacock all for the price of 1. Boom.
While not everyone has this level of planning, it’s very common for users to share accounts, with one-in-four users borrowing account logins for streaming services from people who live outside their home.
Downsides of account sharing
For Businesses
Loss of Revenue
Businesses lose massive amounts of money by not cracking down on account sharing. It’s estimated that streaming platforms lose out on $2.3 billion in membership fees from account sharing.
After struggling with growth and failing to hit their revenue targets, Netflix finally cracked down on account sharing from different households in May ‘23. Users can add 1-2 extra members (depending on the plan) for $8/month extra.
Chargebacks from Account Takeovers
An account takeover is an unauthorized access and control of a user’s account with malicious intent. With this access, fraudsters can manipulate the account and access sensitive information, such as credit card information. If they charge the card on the original account or other accounts, it will likely cause a chargeback, which is a demand by a credit-card provider for a retailer to make good the loss on a fraudulent or disputed transaction. Businesses need to carefully watch this since chargeback fraud cost sellers over $20 billion in 2021,
The risk of account takeovers, which can cause chargebacks, increases with account sharing. The more users that share an account, the more likely it is that bad actors are able to gain access, which could be from phishing, social engineering, or exploiting security vulnerabilities.
For Consumers
Shared passwords
65% of users reuse the same password for multiple or all accounts. If users use the same passwords they do for other accounts, then other of their accounts can be easily hacked. Fraudsters can steal passwords through phishing, infecting devices with malware, and many other ways. If an account is shared by 4 people, then the risk of passwords being compromised increases by 300%.
Potential loss of account
Account sharing among consumers can lead to the loss of access to accounts. If one of the account sharers engages in prohibited or fraudulent activities, the entire account may be penalized or permanently disabled, resulting in the loss of access for all users involved.
Which Industries are Affected by It
Account sharing is typically associated with streaming services, especially Netflix. However, many other SaaS subscription platforms face issues with account sharing. A user simply purchases the subscription then shares it with friends or peers. These are only a sample of the subscription platforms that face issues with account sharing.
B2C Platforms
| Type | Example |
| EdTech | Chegg, Codecademy |
| Design / Wireframes | Canva, Figma |
| Video editing / sending | Loom, Descript |
| Purchase images online | Shutterstock |
B2B Platforms
| Type | Example |
| Social Media Management | Hootsuite |
| B2B Contact Databases | ZoomInfo, Crunchbase |
How Companies Currently Handle Account Sharing
Netflix
As of May 23, 2023, Netflix is now enforcing password sharing in the U.S. by having the account owner setting their primary location. Netflix will then use device and network signals to determine if other account users are part of the household. Users living in different houses will be either prompted to share their account or be locked out.
While this will be very hard or impossible for users to share accounts across different houses, it also adds a lot of friction to users, requiring them to verify their home location. Netflix is probably the only platform (except maybe a few other streaming services) that can do this because of their reach. However, this method is unrealistic for other subscription services.
GPS & IP Address Recognition
Spotify tried an experiment in 2018 asking users to confirm their locations through GPS. However, they stopped mainly because users were uncomfortable with sharing such detailed information with Spotify.
A less invasive approach is to track users’ IP addresses, which is a unique string of characters that identifies each computer using the Internet Protocol to communicate over a network.
However, there are multiple ways users can bypass IP detection:
- IP addresses can be easily circumvented through the use of various tools such as VPNs (Virtual Private Networks)
- If users log in from a public internet source, such as a library, many users would likely have the same IP address.
- Users of the Chrome browser have the option to utilize extensions that allow them to dynamically change their IP addresses each time they connect to the internet.
Cookies
Cookies are a unique identifier that are used to identify your computer as you use a computer network. In theory, it allows the website to track activity of the individual and determine if it’s the same person. However, there are many cookie laws in the US that require businesses to opt in for consent to be tracked. Additionally, users can delete cookies anytime they’d like easily.
Multi-factor authentication
Multi-factor authentication (MFA), including email and SMS texts, can help prevent account sharing by adding an extra layer of security beyond just a username and password. When logging in, users would be prompted to enter a 4-6 digit code. This would keep out users who are using the account without the account owner’s knowledge or consent. It still could be bypassed by account holders who willingly share their account by just sharing the code with others, but it causes additional friction.
Terms & Conditions
Many companies say in its terms & conditions that users cannot share accounts, such as HBO Max. However, HBO Max does not crack down on account sharing, so users of course share accounts. Since only 9% of adults always read a company’s terms and conditions, it’s likely most HBO Max users didn’t even know this was in its terms. Therefore, this method is mostly just in spirit, rather than actually doing anything to prevent account sharing.
How to Actually Prevent Account Sharing
While the solutions above can help minimize account sharing, there are still many ways that users can bypass those restrictions. Fortunately, there is a new method that prevents account sharing much more effectively.
Fingerprint Device Tracking + Face Verification
Platforms can create a risk score of the likelihood of users sharing accounts based on the current methods above (IP address, cookies, MFA).
Platforms can use this method to determine the likelihood that users are sharing accounts, then move users to face verification to verify their identity. Of course, this method does increase friction for users, which is why it should only be used for devices suspected of account sharing.
Many platforms have a decent understanding of which users share accounts, but aren’t 100% sure. Therefore, it’s risky for them to kick the users off or restrict access because they could be kicking off a legitimate user. However, face verification allows platforms to move users who they suspect of account sharing. This way legitimate users suspected of account sharing can still access the platform, while shared accounts won’t be able to bypass the face verification.
Platforms can determine the threshold percentage of likelihood that they would like to move users to the face verification. For example, platforms most concerned with friction may only move users to face verification if they’re 98% confident that accounts are shared, whereas platforms that want to maximize revenue by eliminating account sharing may set a 90% threshold.