Home Based Authentication for TV Everywhere
What is Home Based Authentication? whatis-home-based-authn
Home Based Authentication (HBA) is a TV Everywhere feature that enables pay-TV subscribers to view TV content online without entering MVPD credentials when they are home, thus significantly improving the user experience of the authentication flow.
Home Based Authentication definition by the Open Authentication Technology Committee (OATC): “In-home automatic authentication is the process by which an MVPD/OVD uses characteristics of the home network (or identifiers automatically accessible between devices on the home network) to authenticate which subscriber account is associated with that home network so that users do not need to manually enter credentials when establishing a TVE session for accessing TVE protected content.”
For more information about HBA and the industry standards, read the OATC Use Cases and Requirements documentation and OATC User Experience Guidelines for HBA.
Why HBA is important for you why-hba
HBA is important because it practically removes the sign-in barrier for your viewers that are at home and already have a cable subscription. Also, Home Based Authentication can significantly increase your viewers’ engagement and offer a better user experience for your TV Everywhere content.
Presently, almost half of the attempts to sign-in are not successful.
Once HBA was activated by one of the Top 5 MVPDs, its authentication conversion rate increased by 40% (from 45% to 63%)
Also, below you can see the sign-in conversion rate for a channel integrated with different MVPDs: those that have enabled HBA for it and those that don’t have HBA. The conversion rate for those with HBA is significantly higher than those without HBA.
Six months after enabling HBA for most of the channels integrated with this MVPD, we noticed an 82% increase in unique users (the number of users accessing TV Everywhere channels through this MVPD almost doubled).
2w3In contrast, as you can see in the chart below, other MVPDs which had not enabled HBA only had a 26% increase in the unique users over the last 6 months.
From our data, collected 6 months before and 6 months after enabling HBA, we saw a major increase in viewers’ engagement for the channels that were HBA enabled. Practically users from MVPDs that have enabled HBA tend to watch on average 30% more content than users from MVPDs that don’t have HBA enabled.
Adobe Pass Authentication HBA Support auth-hba-support
This section describes the HBA support provided by Adobe Pass Authentication, the behavior of Adobe Pass Authentication platforms in HBA flows and also offers technical details useful for implementing HBA.
Adobe Pass Authentication features supporting HBA
- Ability to set different authentication TTLs for HBA versus non-HBA authentications (also requires MVPD support)
- Ability to automatically select an MVPD (skip MVPD picker) if the authentication expired. This is usefull especially when HBA TTLs are small.
- Ability to expose to the Programmers if the authentication was HBA or not (also requires MVPD support)
HBA User Experience on Adobe Pass Authentication platforms hba-user-exp
The following tables provide information about the user experience for the supported platforms when HBA is enabled and when HBA is not enabled:
Technical Details of Implementing HBA tech-details-hba
OAuth 2.0 Protocol oauth-2-protocol
In the HBA flow for MVPDs integrated with the OAuth 2.0 authentication protocol, the MVPD issues a refresh token and Adobe issues an HBA authentication token:
- The refresh token has a TTL determined by the business requirements of the MVPD.
- The HBA authentication token TTL must be less than or equal to the refresh token TTL.
Description of the HBA authentication flow for the OAuth 2.0 protocol
- The AccessEnabler, which is installed on the programmer’s side, sends an authentication request (as an HTTP request) to the Adobe Pass Authentication endpoint.
- The Adobe Pass Authentication endpoint redirects the request to the MVPD authentication endpoint.
Note: The request contains thehba_flag
parameter (attempt HBA = true) which signals that the MVPD should attempt HBA authentication. - The MVPD authentication endpoint sends an authorization code to the Adobe Pass Authentication endpoint.
- Adobe Pass Authentication uses the authorization code to request a refresh token and an access token from the MVPD’s token endpoint.
- The MVPD sends an authentication decision and the
hba_status
(true/false) parameter in theid_token
. - A call to the MVPD user profile endpoint is sent to expose the hba_status key in user metadata.
- The MVPD sets the refresh token TTL to an MVPD-agreed value and Adobe sets the AuthN token TTL to a value less or equal to the refresh token’s value.
SAML Protocol saml-protocol
Description of the HBA authentication flow for the SAML authentication protocol
- The AccessEnabler, which is installed on the programmer’s side, sends an authentication request (as an HTTP request) to the Adobe Pass Authentication endpoint.
- The Adobe Pass Authentication endpoint redirects the request to the MVPD authentication endpoint.
- The MVPD should send an authentication decision in form of a SAML response that should contain the HBA flag: hba_status (true/false).
- A call to the MVPD user profile endpoint is sent to expose the hba_status key in user metadata.
How to activate HBA how-to-activate-hba
- OAuth protocol:
- For enabling HBA see, Adobe Pass TVE Dashboard User Guide
- SAML protocol: Home Based Authentication is activated on the MVPD side. No action is required by the Programmer or Adobe.
For more information on the MVPDs that support Home Based Authentication, see HBA status for MVPDs.
FAQ faqs
Question: Why the separation between Home Based Authentication with SAML and OAuth2 protocols?
Answer: The HBA flow is different for the two protocols. From a programmer’s perspective, there is no need for action to assure HBA is enabled for SAML MVPDs, whereas for OAuth2 MVPDs, HBA can be toggled on or off in the Adobe Pass TVE Dashboard.
Question: Are users required to fill in a username and password the first time they authenticate when HBA is enabled?
Answer: No, username and password are not required.
Question: How do you enforce parental controls?
Answer 1: Adobe can disable HBA for integrations with channels that need parental control approval.
Answer 2: Adobe is working with OATC on a UX document which recommends how to set-up the HBA experience with parental controls.
Question: Do the providers supporting HBA have shorter TTL windows for HBA then they do for regular authentication?
Answer: The TTL setting is configurable. We recommend setting a shorter TTL for HBA authentication tokens in order to prevent mishandling.
Useful information useful-info
- Instant Access (HBA) Recommendations - by CTAM
- Sample implementation of HBA on Programmer app - by Adobe