Unauthorized account sharing: are device controls keeping pace?

TL;DR: Unauthorized account sharing is costing subscription businesses billions in lost revenue and distorted usage signals, with streaming alone estimated at $25 billion in losses and 56% of Americans still sharing passwords on streaming accounts, according to the source and Forbes Advisor. Device identification helps distinguish legitimate from abusive access, but it also forces IAM teams to separate customer experience controls from identity governance.

NHIMG editorial — based on content published by Arkose Labs: Unauthorized account sharing and device identification across subscription platforms

By the numbers:

• The habit of sharing online passwords to streaming and other subscription video-on-demand services amounted to about $25 billion in lost revenue before the industry began clamping down on unauthorized account sharing.
• A survey by Forbes Advisor found that 56% of Americans still share passwords on streaming accounts.

Questions worth separating out

Q: How should security teams control unauthorized account sharing without hurting legitimate users?

A: Start by defining the sharing models the business actually permits, such as household, team, or enterprise use.

Q: Why does device identification matter for IAM and fraud teams?

A: Because account sharing changes the access problem from single-user authentication to ongoing device governance.

Q: What do teams get wrong about unauthorized account sharing controls?

A: They often assume that stronger login checks alone will solve the issue.

Practitioner guidance

• Define acceptable sharing policy by account type Separate household, team, and enterprise use cases before enforcing device limits.
• Correlate devices with behavioural thresholds Use repeated logins, short-interval geography shifts, and account-wide device proliferation as combined signals rather than relying on a single fingerprint match.
• Target friction at high-risk devices only Reserve step-up checks, device blocking, or additional verification for patterns that indicate abuse.

What's in the full article

Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:

• How Arkose Device ID is used to distinguish authorized from unauthorized sharing in real platform workflows
• The role of 35+ additional device data signals in reducing spoofing and improving enforcement accuracy
• Examples of how suspicious multi-device access is mapped across accounts before friction is applied
• Operational guidance for balancing user convenience with revenue protection in subscription environments

👉 Read Arkose Labs' analysis of device identification for unauthorized account sharing →

Unauthorized account sharing: are device controls keeping pace?

Explore further

View Full Forum →  |  NHI Foundation Course →