DEV Community

Troy
Troy

Posted on

Discussion: Why doesn't Netflix, one of the most shared streaming services fail to offer 2FA (two factor authentication)?

Netflix, one of the largest streaming services in the world maintains millions of subscribers a year. This post doesn't cover the content or the subscribers, but rather poses an excellent question.

Netflix: why no 2FA for the login process?!

2FA, also known as multi-factor authentication or two factor authentication provides an additional layer of security for an authentication mechanism.
WIKI definition:

Multi-factor authentication (MFA) is an authentication method in which a computer
user
is
granted access only after successfully presenting two or more pieces
of evidence (or factors) to an
authentication mechanism: knowledge (something the user and only
the user knows), possession (something the user and only the user
has), and inherence (something the user and only the user
is).[1][2]

Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming
users' claimed identities by using a combination of two different
factors: 1) something they know, 2) something they have, or 3)
something they are.

A good example of two-factor authentication is the withdrawing of
money from an
ATM; only the correct combination of a bank
card
(something
the user possesses) and a
PIN (something the user knows) allows
the transaction to be carried out.

Two other examples are to supplement a user-controlled password with a
one-time password (OTP) or code generated or received by an
authenticator (e.g. a security token or smartphone) that only the
user
possesses.[3]

Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing something
they know (password) and a second factor other than something they
have or something they are. An example of a second step is the user
repeating back something that was sent to them through an
out-of-band
mechanism. Or, the second step might be a six digit number generated
by an app
that is common to the user and the authentication
system
.[4]

Netflix does not currently offer any forms of the above security. Why? Many claim that the engineering effort would not be worth it, or that their is not private information to protect. I'd argue these points and state that your:

  • Mailing address
  • Billing address
  • Last four of your credit card or PayPal (or billing method)

would be considered private information among many. A problem of unauthorized login sharing of Netflix credentials is rampant; 2FA would assist with preventing this.

The question is -- what's your take on why Netflix has yet to implement increased security measures for its users? Why no 2FA?

Top comments (4)

Collapse
 
iampedramh profile image
Ped-raM

Someone from India got access to my account and changed the email and password. So basically I lost all the access. I called Netflix and all they could do was to cancel the account and told me to create a new one. If there was MFA or 2FA, I wouldn't have to deal with any of this.

Collapse
 
fatherofcurses profile image
Colin Principe

My thought is that because so many people use Netflix via some kind of media device rather than a PC. 2FA on a media device can be a real PITA. I'd welcome 2FA in the Account section of the app, but if I had to pull out my 2FA device every time my kids wanted to watch PJ Masks I'd shoot myself.

Collapse
 
rhymes profile image
rhymes

I think it's because they don't really want to crackdown on password sharing which is quite a big thing on Netflix. Even the CEO declared it was fine with him in the past.

By adding 2FA they would make password sharing quite more burdensome.

But I agree with you in principle, every website that stores personal data should have optional 2FA.

Collapse
 
dietertroy profile image
Troy

y

dev to exec