Second authentication factor still elusive for pay TV in online era

Apart from its impact on the way video piracy is conducted, the rise of online has also increased the challenge of authenticating users. Attempts to replicate the hardware-level of protection provided by the traditional set top through secure elements and Trusted Execution Environments (TEEs) have been only partially successful so far, while efforts to improve basic password protection have failed to win widespread acceptance.


Operators are caught between enforcing more rigorous security and making the user experience as pleasant as possible with the least friction. That is why leading SVoD providers like Netflix have made no attempt to impose any additional security factor on their customers despite various breaches occurring. The damage caused by prompting churn through erecting barriers is deemed to exceed the cost of these breaches.

Yet the situation is rather different for other online services as we see the likes of Google and Microsoft respond to violations of their security by at least making second and third factors available for their web-based office productivity and storage services. But there is the rub, these factors are offered as added benefits for users, rather than hoops they must jump through. The big difference is that multi-factor security is promoted there to boost user privacy and protect their data from theft, eavesdropping or malicious modification. Similarly banks can insist on a second factor based on devices that generate one-time passkeys on the grounds that it protects users against fraudulent payments from their accounts.

The challenge for pay TV and video services has always been that the role of security is to protect their assets not just from organized piracy but subscribers themselves seeking to bypass access controls say to watch premium content they have not paid for. There is little benefit in it for the customer.

For this reason, the issue of user authentication in pay TV is a long running saga that only now with the help of AI based activity monitoring may be on the verge at least of partial resolution. The situation has not been helped by the diverse ways in which second factor security has been implemented and the same could almost be said of third factor biometric techniques.

Fundamentally it is simple enough to state, the first factor is something the user knows like a password, the second is something the user owns such as a dongle, or increasingly their mobile phone, while the third factor is some unique property of the user, a biometric such as a face, thumb print or voice.

The second factor crept into online baking just over a decade ago around 2007 when Barclays introduced its PINsentry operated by inserting a debit card and entering a PIN which in the event of a match generated an eight-digit one-time passkey corresponding with a number set held by the bank. This relied on the fact that eight digits generates enough permutations to allow all the bank’s customers to have unique sets of numbers associated with their accounts sufficiently large to avoid repetitions for a long time. In this case a given eight-bit key would only work once, at least until some time in the future when it might be generated again.

Other methods associated with such devices were also deployed, such as time-based passkeys whose uniqueness is determined by the current time period. Such keys would be valid for a given period and rely on having access to the internet, or in theory an accurate internal clock in the client device.

Then as smartphones became more powerful and ubiquitous, they have been adopted increasingly, including for mobile versions of the same online banking services. This also gave rise to OOB (Out Of Band) authentication which in principle can strengthen security by avoiding over-reliance on a single channel. With a smartphone, a number of services conduct additional security checks by sending a one-time passkey as a text message to the user. Such messages can also be sent by email, phone or some instant messaging system and have become more prevalent at the enterprise level to protect against unauthorized access and data breaches perpetrated through phishing, brute-force attacks, password guessing or database hacking.

The use of smartphones, especially SMS messages, introduces some vulnerabilities and also imposes friction because users have to engage in a separate step via their phones which can delay access for up to a minute or two as they wait for the one-time code to come in. For these two reasons there has been continued development of dedicated hardware devices for one-time passkey generation, with deployments for applications or services involving online access to confidential or personal data in particular. A handful of dedicated vendors have emerged in this field, such as Yubikey with a USB dongle that can also be used wirelessly in very close proximity to the target system via Near Field Communication (NFC) which works at distances up to 4cm. Another is Feitian, which also supports USB as well as NFC and Bluetooth BLE.

Then in July 2018, Google weighed in with the launch of its Titan Security Keys developed with some input from Yubico and NXP. In all three cases the emphasis has been on making the cryptographic operations performed by the security key as resistant as possible to compromise during the entire device lifecycle, from manufacturing through actual use. In Google’s case the firmware performing cryptographic operations is sealed permanently into a secure element at production time during chip fabrication. This secure element hardware chip is designed to resist physical attacks aimed at extracting firmware and secret key material.

All three of these devices support FIDO (Fast IDentity Online) developed by an alliance of the same name set up in 2013 to remedy the lack of interoperability among strong authentication devices. The fundamental technology of FIDO protocols is not new, being based on public key cryptography. When registering initially with an online service, the user’s client device creates a new key pair, one private and one public as usual. The private key can be used for signing messages or decrypting cryptographic data sent to that user by anyone else via the public key.

The point is that anyone can send cryptographic data such as a symmetric key for encrypting the data payload using that user’s unique public key, but only the user can decrypt it with the private key.

At the same time, the private key can be used to insert say a signature which anyone can decrypt using the public key to verify the identity. In the case of FIDO too the client retains the private key and registers the public key with the online service.

Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by some straightforward yet relatively secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second factor device such as a dongle, or just pressing a button.

The point of FIDO then is to facilitate interoperability among devices and services. The FIDO Alliance has so far published three sets of specifications aiming for simple yet stronger authentication. These are FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and the latest FIDO2 unveiled in April 2018.

The latest FIDO2 Project comprises interlocking initiatives that together create a FIDO Authentication standard for the web and expand the FIDO ecosystem. FIDO2 is made up of the W3C’s Web Authentication specification (WebAuthn) and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP), which collectively enable users to authenticate themselves to online services from common devices in both mobile and desktop environments.

WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. Then CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.

Multiple major web browsers including Chrome, Firefox and Microsoft Edge have implemented the standards, as have the principal operating systems such as Android, Windows 10 and related Microsoft platforms. Even Apple has just joined in after announcing what it called experimental support for the FIDO WebAuthn in December 2018 to enable website logins by plugging a USB security key into a computer.

FIDO aims to support a full range of authentication technologies, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing Trusted Platform Modules (TPM), USB security tokens, embedded Secure Elements (eSE), smart cards, and near field communication (NFC). The USB security token device can be used to authenticate using a simple password or PIN, or by pressing a button.

While there is growing momentum behind FIDO, there is still resistance to the whole idea of second or third factor security in pay TV or SVoD, with service providers still concerned that users will be put off when there appears to be nothing in it for them. Amazon is an exception, largely because its Prime service also embraces user accounts linked to credit cards or other payment mechanisms for purchases. Similarly, Google’s advocacy of two factor is driven by the need to protect user data and assets.

For these reasons there is growing interest among video service providers in adaptive authentication, sometimes referred to as risk-based, or dynamic, authentication. This has already been deployed by banks and ecommerce providers, among others, to assess risk of fraud or account misappropriation on the basis of user activity or behavior. The idea then is to enforce some challenge in the event of suspicious activity indicative of abuse or fraud. This could be used to invoke a second factor such as a smartphone-based one-time passkey, or a biometric, although the means to do would have to be set up in advance. It could just be a phone call or a one-off text to a user’s smartphone, which would not impose so much of a burden to the user.

Such monitoring has already been applied in pay TV in conjunction with forensic watermarking, to identify streams suspected of being illicit in the first place. This could be on the basis of activity such as a user being continuously tuned to a channel, which might be flagged as a potential pirate redistributing streams that were initially delivered via an apparently legitimate subscription.

The same principle has been applied by Synamedia, the company chaired by Abe Peled repurchased by equity firm Permira Funds from Cisco for $1 billion in 2018, in its first product launched since the demerger. Designed to help operators respond to casual sharing of passwords used to access OTT services, this analyzes activity on the basis of location, time and device type among other factors. Service providers can then act accordingly either by shutting off a stream suspected of being used by a friend without authorization or contacting the actual subscriber with an offer to share legitimately. There are already precedents for that, noting that Netflix offers three plans distinguished not by the content available but the number of devices that can access the service simultaneously.

More widely, adaptive authentication is being evaluated as a way of complementing and strengthening traditional password protection without imposing the friction of a second or third security factor. This follows the old adage that the best security should be only just good enough and aiming for perfection is counter-productive.