Background: Media Content Security
Security in the media & entertainment industry means securing the entire content consumption path. For any OTT or streaming company that wants to serve or distribute its content to end users, has to protect and safeguard their content against an ever-evolving plethora of online piracy and cyber threats. There multiple different types of threats across the content consumption path, so, while companies would need enterprise security solutions to safeguard themselves at the acquisition, production and distribution stages, they would also need very specific security solutions like Token Authentication to safeguard themselves against the piracy and threats to the content assets itself.
On the content consumption side, link-sharing is a very common and old problem where content intended for a subscriber is shared by said subscriber with others (free-loaders) via link-sharing, i.e. sharing the playback URL on chat boards, social media sites and pirate pages. The implication is that content-provider / service-provider still has to foot the delivery cost but is unable to monetize the content playback as free-loaders are able to watch the content outside the content-provider's website/players.
One of the popular methods to protect access to content on Akamai today is Token Authentication. With Token Authentication, the content-provider creates a short-lived token, called an "Access-Token", and links it to the playback URL. When subscriber accesses the content against Akamai, the token is validated before granting access to the content. If access is granted, Akamai then creates a long-lived token, called a "Session-Token", that is specific to the subscriber's player (or User-Agent) and returns it to the subscriber as a HTTP Cookie. Subsequent content requests from subscriber's player are only allowed if the said Cookie is also present.
Issues with the Current Approach
The approach above has some issues. The Akamai session token cookie could also be considered as a '3rd party cookie' due to the fact that it is on a different domain than the core content itself and as 3rd party cookies are often seen as being used for Cross Site Tracking, it is likely that the cookie will be blocked by the browser.
The use of User-Agent as 'salt' to create the session token still allows link-sharing across end-users with similar User-Agents. Making the session token sticky to an IP also has mixed results due to NATs, CG-NATs, IPv4/IPv6 gateways, Wi-Fi - Cellular - Wi-Fi connectivity changes, TOR exit nodes, proxies, etc.
Enhancements to Token Authentication
As a solution to the issues discussed above, Akamai introduced a new enhancement called "Cookie-less Token Authentication". The enhancement is colloquially called as Cookie-less as a solution to addressing the problems with use of HTTP Cookies. The enhancement creates a 'Cookie-less' option where Manifest manipulation is used to manipulate the manifest file. After authenticating the 'Access-Token', the 'Session-Token' is embedded within the URL path of the media objects. Subsequently, when player requests any media object, the 'Session-Token' is always present as it is in the URL path. This change in location of the 'Session-Token' from HTTP Cookie to URL path, means that Akamai can now validate the token in all cases and allow access only when the token is validated as authentic.
The other enhancement to Token Authentication is referred to as "Token Hardening", which makes the 'Session-Token' sticky or specific to a playback session and origin, thereby, making it difficult to share the 'Session-Token' with players of the same User-Agent or to enable playback from a website other than the content provider's. By default, the 'Session-Token' will now use the User-Agent, Origin and X-Playback-Session-Id request headers to create more individualized or sticky 'Session-Tokens'.
The Way Forward
Token Authentication is not a substitute to a DRM solution, it provides a lightweight way for content owners to restrict access to their content to only those users who have a valid access token. Token Authentication prevents link-sharing and the enhancements discussed above will make the implementation more robust. For cases where the token or content URL can still be shared in an unauthorized manner, Akamai is working on a solution to revoke the token in real time, thereby, preventing unauthorized playback of the content. So, stay tuned for the updates!