A lot has changed since Netflix tweeted that “love is sharing a password,” proving once again that love can be fickle. In July, the streaming giant rolled out its solution to combat password sharing on a global scale, driving record-breaking sign-ups.
The mechanism enforcing this uses information about the account household and the devices used to access the platform to determine if access should be granted. Given that the streaming giant has shared that it uses attribute-based systems to authorize external users at scale, this enforcement system might be a great real-world example of attribute-based access controls. Read on for all the details.
A crackdown on password sharing
Sharing a Netflix password with friends and family used to be very common. Even if you didn’t live in the same place. This was so common, that earlier this year by Netflix reported that an astonishing 100 million households were sharing accounts.
In an effort to combat this issue the streaming giant updated its account sharing policy earlier this year, so that it is restricted to a single household. Under the new policy, you can share access to your account only with the people you live with.
In March, the streaming platform began rolling out the enforcement mechanism meant to block access when people outside of the household try to access the account. In July, the new policy was enforced on a global scale. In that month, 2.6 million people subscribed to the service. For context, this represents a 26% increase over the number of new users created in the record-breaking month of June.
This enforcement mechanism uses information about the household and the devices used to access the account to determine access. Users are required to confirm their household network, and check-in devices on that network monthly to retain access. Devices trying to access the account from a different location will be blocked until they can 1) check-in from the household or 2) are added as extra members by the account owner. Extra members are paid seats with their own login and profile.
Using environmental attributes, such as device and network, to enforce access is a textbook example of attribute-based access controls (ABAC). ABAC systems use dynamic attributes of the user (email, profile), resource (name, genre, catalog), or environment (device, network, IP address) to determine access to resources. After all, the ability to restrict access based on environmental attributes is what drives most organizations to adopt ABAC (more about that here).
Authorizing extra members with ABAC
The process of blocking external devices and authorizing extra members could be governed by a simple ABAC policy. Such a policy would use a combination of environmental attributes that the streaming platform already collects to determine access, including:
- Household: Users are required to confirm their household network. They can easily update this information if they move, or are traveling - more about that later.
- IP Address: All of the devices connected to a network share the same public/external IP address. This address facilitates communication between external services and devices on the network. It could also be used as an indicator that the device is connected to the household network.
- Device: Subscriptions differ in the number of devices that can access the service. Each device is recorded to ensure that it is within the limits of the user’s plan.
In order to retain access to the platform, devices must “check in” to the household network monthly. As long as a device checks-in from that network within 31 days, it will be able to continue and share access. Any devices that have not checked in will be blocked, even if they have the right credentials.
If you are traveling, or have moved, you can easily update your household information in the Settings. Please note, though, that only devices that check-in from this new network will be able to continue and access the account. If your children are traveling, or have moved out, they will be able to continue and access the service from any location, as long as they can check-in from your household network every 31 days. If they can’t check in monthly, they will lose access.
While this might not be as familiar an example of an ABAC system as requiring a VPN connection to get access to business systems, it is a great example of an attribute-based system. The household network, IP address, and the device IP addresses are all dynamic attributes an authorization system can use to determine whether a specific device should be able to access a specific user’s account.
This is just one example of how fine-grained authorization secures access to resources. In this case, the system also unlocked an additional revenue stream in the form of extra members.
There is no doubt that some extremely talented people work for Netflix. But, you don’t have to be Netflix, Airbnb, or Google to implement sophisticated access controls.
There is a new wave of modern authorization services that help organizations implement varied degrees of fine-grained access controls. Aserto is one of those services. It is fast, flexible, and easy to implement. It enables developers to add RBAC, ABAC, ReBAC, or combinations to their apps in minutes, instead of months. And it is based on an open-source authorizer, Topaz, that you can deploy in your cloud today to begin to experience the benefits of fine-grained access controls.
Netflix recently rolled out a system to combat account sharing, on a global scale. This system uses environmental attributes to enforce access controls. This is a great real-world use-case for an attribute-based access control (ABAC) system.
While building a sophisticated enforcement mechanism like this might sound like a large undertaking that only a company the size of Netflix could take on, that is no longer the case. In recent years a new wave of authorization SaaS has emerged to enable developers to implement resource-level access control systems, without having to build them from scratch.
Aserto helps your developers do what Netflix has done. The only difference is that with our platform you can get started in minutes and can be fully integrated in a week or two. If this sounds interesting drop us a line, or join our community Slack.
The power of externalized authorization
Eternalizing authorization into a purpose built service has many benefits. In this post, we describe those benefits and demonstrated the power of externalized authorization, namely the ability to add or change functionality based on policy change alone and without re-deploying the application.
Using scopes vs. permissions for application authorization
One of the earliest authorization patterns applications implement bases access on OAuth 2.0 scopes that are embedded in access tokens issued by an identity provider. While convenient, this method has significant limitations. In this post, we describe those limitations and provide alternatives for managing application permissions.
It's time for authorization standards: AuthZEN
Today each authorization vendor supports its own APIs and protocols. But there's an appetite to change this. We’re in the early innings of a promising effort called AuthZEN, where the authorization community is hoping to establish a set of patterns and standards for externalized authorization. Read all about in this post.