Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Unauthorized account sharing: are device controls keeping pace?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Unauthorized account sharing is costing subscription businesses billions in lost revenue and distorted usage signals, with streaming alone estimated at $25 billion in losses and 56% of Americans still sharing passwords on streaming accounts, according to the source and Forbes Advisor. Device identification helps distinguish legitimate from abusive access, but it also forces IAM teams to separate customer experience controls from identity governance.

NHIMG editorial — based on content published by Arkose Labs: Unauthorized account sharing and device identification across subscription platforms

By the numbers:

Questions worth separating out

Q: How should security teams control unauthorized account sharing without hurting legitimate users?

A: Start by defining the sharing models the business actually permits, such as household, team, or enterprise use.

Q: Why does device identification matter for IAM and fraud teams?

A: Because account sharing changes the access problem from single-user authentication to ongoing device governance.

Q: What do teams get wrong about unauthorized account sharing controls?

A: They often assume that stronger login checks alone will solve the issue.

Practitioner guidance

  • Define acceptable sharing policy by account type Separate household, team, and enterprise use cases before enforcing device limits.
  • Correlate devices with behavioural thresholds Use repeated logins, short-interval geography shifts, and account-wide device proliferation as combined signals rather than relying on a single fingerprint match.
  • Target friction at high-risk devices only Reserve step-up checks, device blocking, or additional verification for patterns that indicate abuse.

What's in the full article

Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:

  • How Arkose Device ID is used to distinguish authorized from unauthorized sharing in real platform workflows
  • The role of 35+ additional device data signals in reducing spoofing and improving enforcement accuracy
  • Examples of how suspicious multi-device access is mapped across accounts before friction is applied
  • Operational guidance for balancing user convenience with revenue protection in subscription environments

👉 Read Arkose Labs' analysis of device identification for unauthorized account sharing →

Unauthorized account sharing: are device controls keeping pace?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Device identification is now an access governance problem, not just a fraud control. Subscription platforms are no longer only defending against shared passwords. They are deciding which device behaviours count as legitimate entitlement use and which cross into unauthorized reuse. That shifts the control question from authentication alone to ongoing access interpretation, which is a core IAM concern rather than a pure anti-fraud feature. Practitioners should treat device identity as part of the policy layer, not a separate point solution.

A few things that frame the scale:

  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
  • Another finding from the same research shows that the average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.

A question worth separating out:

Q: How do you know if device-based sharing controls are working?

A: Look for lower abusive reuse, cleaner usage metrics, and fewer disputes about blocked legitimate access. If revenue improves but customer complaints and false positives rise sharply, the control is too blunt. Effective programmes reduce abuse while preserving the intended sharing model.

👉 Read our full editorial: Device identification is reshaping subscription account sharing controls



   
ReplyQuote
Share: