Who Are You? Authentication in the TV Everywhere Age

Mon, 02/28/2011 - 8:00pm
Brian Santo, Editor-in-Chief

TV Everywhere won’t work unless service providers can positively identify their subscribers through authentication systems.

Progress is being made on the TV Everywhere concept, albeit at a measured pace. Video is widely available on various devices and in many more places than ever before, but TV Everywhere is about premium content, and when it comes to premium content, TV is far from everywhere yet.

There remain impediments to getting premium content on more devices in more places. One of the most important is assuring that the person consuming the content is, in fact, the person entitled to watch it. A multichannel video programming distributor (MVPD) has to be able to authenticate the user.

At this point in the development of TV Everywhere, most MVPDs are only beginning to take their first tentative steps toward delivering premium video to a small handful of specific devices, notably iPads, and authentication in that context is not that big a hurdle. Authentication might become a larger issue later, however, when MVPDs get more ambitious with TV Everywhere.

“Right now we see a lot of emphasis on having the rights extended to both tablets and smartphones,” said Synacor CEO Ron Frankel, “but I think this next year or so is really about getting the rights profile right, and enabling the experiences, and getting the critical mass of content available to be viewed online via an authenticated relationship. I think we’re going to see a lot of infrastructure built out and not so much usage in 2011.”

In the meantime, the most prominent hurdles the industry has to leap to get to TV Everywhere are legal in nature. Premium content developers and owners on the one hand, and content distributors on the other, are still negotiating over who will have rights to what content, and under which circumstances. The legal questions are, of course, all tied up with the technology, inasmuch as technology has instigated the legal questions.

The Entertainment ExperienceThe arrival of smartphones and mobile devices opened new distribution possibilities. That opened existing distribution agreements to renegotiations about the new distribution avenues.

 And any time premium content owners talk about new forms of distribution, the fear of theft kicks in with a vengeance. There will be endless wrangling over digital rights management (DRM), entitlement/authorization and authentication.

Meanwhile, technologists are still figuring out the best ways for delivering video to mobile devices. Many of the technological issues are tied in to the variables of displays, content formats and network delivery. Each of those many devices supports some video formats but not others, they have different screen sizes, and they are connecting via networks that have different capabilities from each other, and as challenging – if not more so – any given network is likely to have variable performance, with bandwidth limitations that increase with traffic volume (see “Transcoding: Presto Change-O!” in CED’s February issue).

Since some of the technology is still being evaluated, there’s no urgency to settle the legal issues immediately, and since the legal issues are still being settled, there’s no incentive to immediately deploy technology, especially when, with time, better solutions might be developed.

At the same time, there’s minimal competitive threat compelling anyone to rush the whole process. Over-the-top providers are not yet that rich in high-value content, so consumers are not ditching their subscriptions to MVPD services to rely entirely on OTT in large enough numbers to be worrisome (or even detectable, some MVPDs say).

The bottom line, then, is that little new is going to happen in TV Everywhere until everybody figures out who gets paid, how much and under what circumstances.

Several MVPDs are doing some form of TV Everywhere. Rogers Communications is making video available through digital cable, broadband and wireless. Rogers seems to be singular in that respect, so far, although AT&T is known to be working on a similar model.

Other U.S. MVPDs tend to limit TV Everywhere to PCs and other computing devices. Comcast and Dish Network, for example, have TV Everywhere apps that allow customers to stream on-demand content to iPads and iPods. Time Warner Cable, Cablevision and others are expected to be right behind.

As a practical matter, MSOs seem to be concerned with getting video to screens that are large enough to provide a good viewing experience, hence MSOs’ emphasis on the iPad and other tablets.

One thing to note: The context of the situation may be TV Everywhere, but premium content is not confined to TV or video. It could be audio, games or other media.

The authentication process here is pretty well understood. The MVPD creates a Web-based portal and installs a sign-in process. That process could include asking the subscriber to sign in with a password.

There are two schools of thought on that. Some people think subscribers find it intrusive and frustrating to continually have to enter passwords. In other words, it’s an ease of use issue. Others think password entry is so common that most subscribers will barely notice they’re doing it.

For those who prefer not to demand password entry, the alternative is a device registry. It could be automatic, if the MVPD is willing to make the reasonable assumption that the person behind its modem is in fact a subscriber. An MVPD can go a step further and ask subscribers to actively register the devices, usually the first time they connect.

Either way, the MVPD connects this entry to its billing system to validate the person as an active customer and provide a list of content the subscriber is entitled to see.

There’s an issue that comes up here – relatively easily solved, but a problem nonetheless. Different MVPDs are likely to install different technologies for authenticating their customers, a bit of a problem for any content owner that wants to deal with MVPD subscribers directly, as HBO, for example, is doing with its new HBO Go service.

It is possible for a content owner to devise a different authentication program for every MVPD it deals with, but that could quickly become burdensome.

Some companies are trying to introduce a standardized approach to Web-based authentication. SAML is an XML-based authentication and authorization standard. One company championing its use is Ping Identity, which recently allied with Webbased content distributor Brightcove.

Symantec last year bought Verisign to address the issue (the operation is now called Symantec Authentication). The company offers security as a service.

But the lack of a single approach to authentication and authorization creates an opening for third-party intermediaries to provide solutions, and so they have.

They are frequently companies that have video distribution platforms, such as Brightcove, Ooyala, thePlatform, Azuki Systems and many others.

ThePlatform, for example, has developed what it calls an authentication proxy that takes subscriber credentials and translates them into the format required by each authentication system. The content owner’s website, thePlatform said, only has to deploy one widget to handle authentication for all of its MVPD partners.

Synacor has a platform it describes as an authentication engine. The front of the platform is a site subscribers can go to and get authenticated for all content a consumer might be entitled to.

“We have a presentation layer,” Frankel explained. “When the consumer goes to search and discover the material they want to view or consume, they would use our pages and our search, and then they click on the material. The content is then transmitted to the sub.”

It doesn’t matter where the content is. The MVPD could have it, or the content originator; Synacor can even provide the storage.

“That’s if they have the rights,” Frankel continued. “If they don’t have the rights, we give them an upsell message.”

Comcast works its TV Everywhere solution through its subsidiary, thePlatform. ThePlatform’s vice president of sales and marketing, Marty Roberts, explained that authentication has to be backed up by authorization.

“Number one: How do we authenticate a consumer as being a valid customer? Most of the MSOs we’ve worked with have built a Web system in front of their service. Most of that work has already been done,” Roberts said. “The second piece is, now that a user has pressed ‘play,’ do they actually have the rights to watch that video? The technology has been worked out to map between the individual video, map it to its channel ID and map that channel ID to the customer’s TV package, so there are tight links among all of that. People are utilizing that today.”

There are potential inadequacies with the two approaches to authentication. Passwords can be stolen; they can also be freely given away – shared among family or friends. Same thing with registering a device.

Some companies are trying to authenticate based on a unique signifier. Fingerprinting is possible but is generally rejected as somewhat creepy – that’s how the authorities identify murder suspects. Facial scans are possible, but not recommended, because they can be done without the user knowing it.

Trade Harbor thinks the key to authentication will be voice. The company claims it can get a voice print that is accurate even when the subscriber has a cold. The company has an app for Android and for Apple’s iOS. Subscribers can simply download the app. Almost every mobile device these days comes with a microphone. Subscribers merely have to speak a command into whatever device they have to place an order.

“We can authenticate every use and store every choice that a subscriber makes,” said Paul Heirendt, Trade Harbor’s president and CEO.

Why is that useful? Some subscribers will insist that they did not order what got delivered to them. And how can a service provider respond? That it detected a button click? But if the user goes through a voice authentication and orders through Trade Harbor, then the service provider has a recording of their voice placing the order.

What happens when TV Everywhere services begin to get more complicated when smartphones get thrown in the mix? The smartphone in and of itself does not represent a challenge, but the fact that it might be operating on another network, that adds some complexity. What happens when a consumer who has a video subscription with an MSO wants to order a piece of content to view on their smartphone via a wireless operator’s network?

This is another place where it seems most useful to have a third party step in. If the MVPD is working with Synacor, that company’s authentication system should be able to get content to any device, provided the device has implemented the authentication gateway client, Frankel explained. He also said the company is developing some app-based authentication in the coming months, though he declined to provide details.

Roberts said: “In terms of distribution to more devices, there doesn’t have to be a relationship between a Comcast and a Verizon, for example. They’re open networks. Delivery is more governed by the content delivery network each chooses to use, such as Akamai or Limelight. We’ll authenticate and then go through that authorization step, but to us, it doesn’t matter technically if you’re accessing that content off the cable provider’s Web portal or video portal or off the programmer’s website or off a mobile phone. The technology is all standards-based. It’s just standard Web traffic at that point.”

David JacobsAmdocs CTO, Broadband, Cable & Satellite Division, David Jacobs said that in situations where you have to do referrals through some other provider, “I think some of that still needs to be worked out. There are great opportunities for companies like Neustar, as just one example, where they’re offering a clearinghouse-type service, where they offer the mechanisms to allow different service providers to communicate, yet … no one’s exposing their customers’ data.”

The other possibility, Jacobs said, is to leverage PacketCable 2.0 through that specification’s IMS provisions.

“The one with the most likelihood for success is the first option,” however, Jacobs said, “because it’s that much easier for the most people to get their heads around a clearinghouse approach.”

Amdocs specializes in billing, and Jacobs said that there are considerations there, too. You can put your authentication system in front of your billing system, but IT systems are changing, and the situation might not remain that simple. “As we move forward, we’re beginning to see the introduction of more convergent infrastructures and more layered architectures where that customer profile isn’t necessarily held in the billing system,” he said. “It’s held in some other place in the architecture. I think we’ve got different sets of information that must coexist, and we’re still working on that.”

Issues include the fact that you now need a back office system that must support high volumes of transactions in real time.

Azuki Systems makes a transcoding platform designed specifically to serve mobile devices.

Azuki CEO John Clancy said: “I think of authentication as more than first generation, a defense against over-the-top. People don’t like to enter passwords, they just want it to work, they want instant access. The big win for MSO and TV Everywhere is to make it brainless for users.” The goal would be to have authentication be somehow automatic. “It integrates, it authenticates, it allows you to do true session-shifting, it lets the MSO reach in and do ad insertion and start driving top line on this,” Clancy said. That’s when the whole system gets powerful. “Authentication and user participation, that’s stage one; when it gets brainless, seamless, a joyful experience, that’s when it gets interesting. We hear MSOs talking like that, and that’s the arc of the story.”


An initiative that dovetails with the authorization and authentication issue is the work being done by the Digital Entertainment Content Ecosystem. The question DECE addresses is: How do you give consumers universal access to content that they’ve purchased?

The answer is to create what is commonly referred to as a digital rights locker – stored in the cloud. A consumer buys some piece of content, and that fact is logged in the locker. If a consumer requests access to that content, no matter where in the world they are, they should be able to get it, delivered by whoever’s service they log in to (of course, they will have to have, or enter into, an agreement with that service provider).

DECE is developing a means to purchase content and is combining it with a rights locker. Among its members are CableLabs, Comcast and Cox Communications, along with several computer and consumer electronics manufacturers and a handful of film studios.

DECE is branding the whole thing “Ultraviolet.” It should be ready to go commercial sometime around the middle of the year.

“DECE brings to the table the advantages of a common file and a common encryption format for DRM, the ability to have a rights locker in the sky,” said Marty Roberts, thePlatform’s vice president of sales and marketing. “What that allows an operator to do is save a little complexity in the back end so we don’t have to support so many DRM systems, which takes cost out of the value chain.”

The MVPD can then tap into the locker and present to its subscribers not only the content to which they have rights through their subscription, but also all the content they’ve purchased.

“It positions you right in the center – you can present a comprehensive video library based on that user’s rights,” Roberts said.

From an authentication standpoint, DECE’s efforts are also interesting because it’s drilling down farther than the household. Each household will be able to create an account for up to six members. Consumers will also be able to register up to 12 devices. Content can not only be downloaded to those devices, but also shared among them.


Share This Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.