This is vexing for service providers as they struggle to contain piracy while also countering lower level threats to revenue such as casual sharing of passwords among friends and family. Passwords alone, like PINs, rely on just the first factor of security, something the user knows. The second factor exploits something the user has unique to them, such as passkey generator, some plug-in dongle, or their smartphone. The third factor is something the user is, in other words a biometric like a thumb print or iris, which can be scanned, or voice, which can be recognized. Some pay TV operators have been hoping to add either a second or third factor to password protection, or even both, to strengthen access control.

But resistance to innovation in authentication, at least by users of video services, has been confirmed in a recent survey by Dallas based analyst firm Parks Associates. Entitled "Innovations in Authentication and Personalization Technologies," the report found that 16 per cent of broadband households in the US admit to sharing their passwords for their video service accounts with other people, with the real figure quite likely higher than that.

The survey also found that service providers are having a hard time persuading subscribers to adopt more advanced methods of password-free authentication, based either on a second factor such as a one-time passkey generator, or a biometric third factor. Yet this comes at a time when, as the survey reported, consumers are increasingly concerned over fraudsters stealing their data and/or identity, as well as over how hacked data and devices may be abused.

There is also increasing acceptance of additional factors of security around smartphones, including biometrics. Consumers have embraced the second factor of some device they own for online banking, as well as using their smart phones for that factor. Most of these methods though either suffer from integration complexity or implementation weaknesses as far as accessing premium video content is concerned. This has led Google for example to develop two-factor security based on dedicated hardware units serving client devices either via direct USB connection or Bluetooth. Indeed, there has been growing momentum behind such physical key systems that can be used to protect online services of different kinds, with a few dedicated vendors in the field, such as Yubikey and Feitian.

Google weighed in with the launch in July 2018 of its Titan Security Keys based on a standard called FIDO developed to facilitate interoperability among such devices supporting strong authentication. These devices operate much like two-factor authentication systems for smartphones, which typically send a code as a text message to the user for accessing a service, except that these are dedicated just to security. Using text messages is less secure because the codes are vulnerable to interception unless stronger versions are used on smartphones, which is not widely done.

The problem though is that Titan, like any second security factor, is inconvenient to use. Subscribers can only access their service if they have the device on them or available nearby and have to engage in this additional physical manoeuvre. The Parks Associates survey identified that most users were unwilling to embrace such devices and that friction must be reduced.

“To drive adoption of new authentication methods, the industry needs to deliver a frictionless user experience, bringing a more personalized approach to authentication in addition to increased security,” said Billy Nayden, Research Analyst, Parks Associates. “Poor experiences with authentication and personalization technologies will drive consumers back to traditional methods and increase churn for video services.”

Google has so far failed to solve the friction problem with Titan and so the solution may lie instead with intelligent monitoring that attempts to identify users whose behaviour is either threatening or puts their account at risk of unauthorized access. The critical point here, as that survey again noted, is that users are willing to engage in additional security measures occasionally so long as they are not compelled to do so every time they gain access.

For this reason, there has been growing interest in, and evaluation of, risk-based authentication(RBA), sometimes referred to as adaptive authentication, for identity verification and access control. This takes account of a range of factors, such as where the user is, what time they gain access, how long they remain logged in, and what systems they are accessing, in order to assess risk. Then when a specified risk threshold is exceeded, the user might be asked to undergo a full two or even three factor authentication process.

However, risk-based authentication could threaten privacy unless carefully implemented, which service providers will have to bear in mind. Such a system though could identify casual sharing of passwords on the basis of user location for example. As it happens, Synamedia, the company bought back from Cisco by equity group Permira Funds in 2018, recently launched a product to exploit such capabilities to tackle casual sharing of passwords. The idea is that the rump of essentially honest consumers can be brought onside and even tapped for additional revenues, by offering services that enhance rather than block sharing of their video service with friends or family.