Examining Authentication Methods on TVs

There are a lot of different apps that you can download on your TV. By authenticating with your account, you can quickly gain access to all of your settings and content. After authenticating, you can relax, watch a movie in your library, listen to your favorite playlist, or return to the latest level of a game. However, how does one get past the authentication screen? There are a lot of different ways for logging into stuff on your TV, and this article is a deep examination and comparison of all these types.

Username / Password

Username and password is one of the oldest and simplest ways to log into your account. It uses something you have (a username) and something you know (a secret phrase) which should be able to uniquely identify you. It allows you to log in from anywhere, which can also be a downside since it allows malicious actors to also access your account.

Usernames and passwords are easy to implement in a TV app, especially if you can reuse the same layout from your phone app. However, there are two major pain points that users experience.

  • Typing things in with a DPAD is bad
  • Everyone can see what you’re typing

TV keyboards aren’t good. It takes time and clicks to get from one corner of the keyboard to the other. For those people who have long, secure, alphanumeric passwords, this is a chore. Additionally, you’re entering this on a large TV screen, 20 inches or larger. Anyone in the room is able to see your cursor entering in characters one at a time and the text field also shows the last entered character briefly. Unless you trust the people around you, this is a bad way to authenticating. It’s good to take a look at some alternatives for your TV app.

Enter Code

vimeo_20161128_014556

One method that has been popular is a code that appears on the TV. This code is uniquely generated and usually expires in a few minutes. A person needs to visit a web browser on another device and enter their username and password. A successful authentication on a phone then authenticates the TV app with the same user.

It works. It takes advantage of a person’s second screen. It is fairly easy to implement, with some tools already built for smart TVs like Twitter’s Digits. Digits uses alphanumeric codes that are eight characters long (36^8 = 2821109907456 unique combinations), which makes it hard for someone to log in to another person’s device accidentally.

However, it is still not too convenient. You need to get a second device to do the process and then you need to authenticate with your username and password, but also with another code that needs to be typed perfectly.

Connect to Mobile

Spotify Connect

When you first set up your Android TV, there is a way to do it from your phone. It searches for nearby TVs and connects to one that is actively searching for phones. When the two connect, your authentication info is transferred, along with personal settings and perhaps apps. It’s a quick way to bootstrap your TV with minimal effort.

However, this isn’t seen too much in apps. Spotify is the only one I know which does it. You start playing a song on your phone, using your account. Then you can use Spotify Connect to continue playing on your TV, also transferring authentication information.

Spotify doesn’t support casting on Android TV, so this is a good way to get similar functionality. However, it would be weird if every time I cast something it stored my login credentials. Chromecast works well for supporting guests, those who want temporary authentication.

However, the idea is good. Using APIs like Nearby would allow your phone to detect your TV in close proximity. Then the two devices can share authentication information without having to enter any new username or password.

It can be inconvenient though, if you don’t have your phone with you or that app isn’t installed. Then you’d have to download it on two devices even though you only wanted it on your TV.

Google Account

google authentication sign in

When you setup your TV, you login with your Google account. This identifies the person who uses the device. Since there is already an authenticated user, is it possible to use that to uniquely authenticate the user in a 3rd party app? Google has a platform for signing in users with Google. It works on the web, phones, and TVs. Using Google, you don’t need to remember more passwords and the service doesn’t need to store passwords which could later be stolen.

It also doesn’t require more devices. You can just confirm your account entirely on the TV. Then you’re done. There’s no need to enter more passwords either. However, this can be a bit restrictive as it requires the user to link their Google account. If users prefer using separate passwords, then they’ll feel restricted by this requirement. If something happens to their Google account, users are out of luck. They’ve lost all their account details.

Smart Lock

Credit to AP
Credit to AP

Google has a second authentication system which works on TVs called Smart Lock. It works on phones and in Chrome. You can have Chrome opt to save your credentials when you log into a site. Then, the next time you visit that site, the username and password fields will be automatically populated with those values. Having a password manager can be very useful in general, allowing passwords to be more complex since you don’t need to memorize them.

Smart lock works with apps like Netflix, which have their own username and password storage. When you log in with a browser or in the Netflix app, it associates your Netflix credentials with your Google account (the account connected to Chrome or your phone). Then those credentials can be called back later when you move to a new device such as your TV. It doesn’t require a third-party authentication service and doesn’t require a second device. It just works.

If Smart Lock isn’t working, it is easy to have a fallback to something like entering a username / password, or one of the other methods listed above. It can be the same fallback used if the user has never used Smart Lock with that app.

Conclusion

Are you working on an Android TV app? Are you looking for a way to easily authenticate users? There’s plenty of ideas listed above to provide a convenient user experience. Overall though, don’t use a username and password. Entering those on a TV is neither secure nor pleasant.

When building a device or app that is intended to serve a number of people, there is always the question of whose account will be used, and how it will be provided. It’s a good idea to think innovatively, to think of something that isn’t too inconvenient and requires minimal effort. TVs in particular are suited for Leanback experiences, not carefully entering text into forms.

Nick Felker

Nick Felker

Nick Felker is a student Electrical & Computer Engineering student at Rowan University (C/O 2017) and the student IEEE webmaster. When he's not studying, he is a software developer for the web and Android (Felker Tech). He has several open source projects on GitHub (http://github.com/fleker) Devices: Moto G-2013 Moto G-2015, Moto 360, Google ADT-1, Nexus 7-2013 (x2), Lenovo Laptop, Custom Desktop. Although he was an intern at Google, the content of this blog is entirely independent and his own thoughts.

More Posts - Website

Follow Me:
TwitterLinkedInGoogle PlusReddit