DEV Community

loading...

Discussion: Why doesn't Netflix, one of the most shared streaming services fail to offer 2FA (two factor authentication)?

Troy
Global #AWS Solutions Architect for Perficient, AWS Partner Network Ambassador
・3 min read

Netflix, one of the largest streaming services in the world maintains millions of subscribers a year. This post doesn't cover the content or the subscribers, but rather poses an excellent question.

Netflix: why no 2FA for the login process?!

2FA, also known as multi-factor authentication or two factor authentication provides an additional layer of security for an authentication mechanism.
WIKI definition:

Multi-factor authentication (MFA) is an authentication method in which a computer
user
is
granted access only after successfully presenting two or more pieces
of evidence (or factors) to an
authentication mechanism: knowledge (something the user and only
the user knows), possession (something the user and only the user
has), and inherence (something the user and only the user
is).[1][2]

Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming
users' claimed identities by using a combination of two different
factors: 1) something they know, 2) something they have, or 3)
something they are.

A good example of two-factor authentication is the withdrawing of
money from an
ATM; only the correct combination of a bank
card
(something
the user possesses) and a
PIN (something the user knows) allows
the transaction to be carried out.

Two other examples are to supplement a user-controlled password with a
one-time password (OTP) or code generated or received by an
authenticator (e.g. a security token or smartphone) that only the
user
possesses.[3]

Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing something
they know (password) and a second factor other than something they
have or something they are. An example of a second step is the user
repeating back something that was sent to them through an
out-of-band
mechanism. Or, the second step might be a six digit number generated
by an app
that is common to the user and the authentication
system
.[4]

Netflix does not currently offer any forms of the above security. Why? Many claim that the engineering effort would not be worth it, or that their is not private information to protect. I'd argue these points and state that your:

  • Mailing address
  • Billing address
  • Last four of your credit card or PayPal (or billing method)

would be considered private information among many. A problem of unauthorized login sharing of Netflix credentials is rampant; 2FA would assist with preventing this.

The question is -- what's your take on why Netflix has yet to implement increased security measures for its users? Why no 2FA?

Discussion (6)

Collapse
jorgecc profile image
Jorge Castro • Edited

It is because 2FA is a way to burden the end-users.

  • Developers: We want to implement 2FA in our platform.
  • Netflix executes: Ok, and how much will it cost us?
  • Developers: Around two months.
  • Netflix executives: Ok, and it will increase the number of viewers?
  • Developers: Well, not really. It is about security.
  • Netflix executives: So, it will not increase the number of viewers but it could be a burden for some customers and it could decrease the number of viewers.
  • Developers: Yes, but it could be optional.
  • Netflix executives: So optional, an option that it plays against the number of viewers and it will cost us time (and money). Sorry but no.
  • Developers: But the security.
  • Netflix executives: We already invested in our security. If our customers have trouble then we could reset its password. It's their responsibility, not ours.


How to annoying an executive. Suggests changes that involve earning less money.

Collapse
dietertroy profile image
Troy Author

y

dev to exec

Collapse
jorgecc profile image
Jorge Castro • Edited

I always believed the executives and managements are our enemies. It was stupid. The executives are our unique allied.

The responsibility of them is to bring money. Our responsibility (as IT) is to spend that money. So, we are a burden for the executives, not the opposite. Otherwise, who would bring money to the IT department?. A developer?

Now, let's say one business where one of the executives consider the IT department is good for the business because it generates incomes. So, it means this executive could invest money in the IT department, it means a better office, more developers (if not raise for the team), new hardware and such.

Now, let's say the opposite, a business where the IT department is considered a waste of money, it means an office in the basement, old hardware, some firing, and cheap working force.

Sometimes they are annoying, especially when they try to push some technology (that they don't understand, but they read on some website/magazine).

Collapse
iampedramh profile image
Ped-raM

Someone from India got access to my account and changed the email and password. So basically I lost all the access. I called Netflix and all they could do was to cancel the account and told me to create a new one. If there was MFA or 2FA, I wouldn't have to deal with any of this.

Collapse
fatherofcurses profile image
Colin Principe

My thought is that because so many people use Netflix via some kind of media device rather than a PC. 2FA on a media device can be a real PITA. I'd welcome 2FA in the Account section of the app, but if I had to pull out my 2FA device every time my kids wanted to watch PJ Masks I'd shoot myself.

Collapse
rhymes profile image
rhymes

I think it's because they don't really want to crackdown on password sharing which is quite a big thing on Netflix. Even the CEO declared it was fine with him in the past.

By adding 2FA they would make password sharing quite more burdensome.

But I agree with you in principle, every website that stores personal data should have optional 2FA.