• Lowpass
  • Posts
  • How Roku’s quest for control hurts developers and consumers

How Roku’s quest for control hurts developers and consumers

Also: FAST is booming, elsewhere

Welcome to Lowpass! This week: Roku made logging into apps harder, and FAST viewing may be plateauing in the U.S.

Was this email forwarded to you? Sign up now to receive Lowpass in your inbox every Thursday.

Roku has made logins more complicated to prevent off-platform transactions

If you ever installed a new app on your streaming device or smart TV, you may have run into this: Entering email addresses and passwords with your TV remote can be painful – especially for those secure passwords with lots of capital letters, numbers and special characters.

App publishers know this as well, and many of them have been looking for easier ways to authenticate their users. One approach, known as rendezvous linking, asks people to visit the publisher’s website with a phone or desktop PC, and then enter a string of four to six seemingly random letters. A few seconds later, the TV app automatically logs in.

It’s unclear who exactly came up with this approach; some industry insiders I’ve talked to credit Roku with inventing rendezvous linking. However, in recent years, that very company has severely restricted the use of rendezvous linking. After first banning paid services from using it a few years ago, Roku eventually began telling developers that only so-called TV Everywhere apps (TV network apps linked to a consumer’s pay TV subscription) are allowed to use rendezvous linking.

Roku’s restrictions make its user experience worse. It’s not just the pain of entering credentials with a TV remote. Forcing people to log in on-device also effectively punishes people who have used another platform to sign up for a service.

  • This includes people who used Google, Facebook or Apple logins to sign up for streaming services without ever creating a password.

  • That’s what appears to have happened to Reddit user PHATsakk43, who signed up for Plex’s streaming service with their Apple ID without ever creating a dedicated Plex password. 

  • After accidentally deleting the Plex app from their Roku streaming device, the user couldn’t figure out how to log in again, looking in vain for the previously-available short code for rendezvous linking.

  • Asking for help on Reddit, PHATsakk43 was told by another user that they had to go to Plex’s website, create a password, and then use that password to log in on Roku.

  • “This is super clunky and hard to teach to non tech users,” another Reddit user added.

  • App release notes suggest that Plex was forced to move away from rendezvous linking last summer.

  • “From our perspective, it is a bit of a step backward for the end user,” a Plex spokesperson told me when asked about this. “Our concern is that it could lead to users choosing simpler, less secure passwords. It also makes it impossible to use third-party auth services (like Google Auth), which eliminates two-factor auth options.”

  • A number of Plex users also complained about these restrictions on Plex’s forum, with one of them writing: “This is the most stupid, infuriating change. It provides absolutely no benefit and merely inconveniences the user. It’s baffling that Roku would require this.”

Roku’s login restrictions are just the latest attempt to keep users on-platform. Google and Apple have long tried to keep mobile users within the walls of their app stores, and often imposed rules that were meant to prevent app developers from sending their users to their websites.

  • That’s because mobile app stores charge developers a 30% fee for each transaction. If developers could simply send users to their sites to purchase digital goods or subscriptions, they would be able to bypass those platform fees.

  • Regulators are starting to crack down on these kinds of restrictions, but platform providers are trying hard to make off-platform transactions as unattractive as possible. Case in point: Apple recently began charging most developers a 27% fee for payments facilitated outside of the App Store.

Roku imposes similar fees and restrictions on developers. Publishers who want to distribute their apps on Roku TVs or streaming devices have to agree to only use Roku’s own payment service, and not redirect their customers to any third-party payment services. 

  • The company takes a 20% fee on every transaction, regardless of whether consumers pay for a movie rental, subscribe to a streaming service, or buy a screensaver for their streaming device.

  • That fee is lower than typical mobile app store fees, in part because Roku has optimized its business for advertising revenues. (Ad-supported streaming services have to give Roku access to at least 30% of their ad inventory.)

  • If a publisher was redirecting consumers to their website when they sign into an app, the publisher could theoretically use that moment to also sell them a subscription, or facilitate another paid transaction, without having to fork over any money to Roku – something the company clearly doesn’t want.

  • As a result, the company has been telling developers that “all channels must complete authentication entirely on-device to pass certification.”

Roku hasn’t publicly said why it instituted these restrictions. Contacted for this article, a spokesperson referred to the company’s developer guidelines, but didn’t comment further. I’ve been told that the company has in the past told developers that it was moving away from rendezvous linking due to security concerns.

  • The gist of this argument: Consumers can make spelling errors when entering a web address into their browser, and domain squatters could use those errors to deceive users with fake websites meant to steal their credentials.

  • That argument isn’t entirely without merits, but misspelled web addresses could be easily prevented with an on-screen QR code – a method that Roku also doesn’t allow.

  • And the argument goes both ways: Forcing consumers to enter their passwords on their TVs is inevitably going to lead to them using weaker passwords, or even using the same password for multiple services.

  • (A tip for Roku users looking to stay safe: The company’s mobile app does make it possible to enter passwords more easily. When it’s working, that is.)

Ultimately, the security argument rings hollow. For proof that Roku’s restrictions on the use of rendezvous linking are motivated by financial aspects and not security concerns, look no further than to the company’s own Roku Channel streaming service. The Roku Channel Android TV app, which launched on smart TVs and streaming devices running Google’s software last summer, gives consumers the option to log in with their Roku accounts to keep their viewing progress synced across devices.

To make this process less painful, Roku is asking users of its Android TV app to visit the company’s website and use rendezvous linking.

Enjoy reading stories like this one? Then please upgrade to the $8 a month / $80 a year paid tier to support my reporting, and get access to the full Lowpass newsletter every week.


Book your Lowpass sponsorship now

Want to reach AR, VR and streaming insiders? Lowpass’ close to 19,000 subscribers include senior executives at major tech and entertainment companies (including Amazon, Fox, Google, Meta, Netflix, Roku, Samsung, Sonos, Unity, Warner Bros. Discovery & more) as well as startup founders, regulators and other decision makers.

For a limited time, you can reach them with a 20% discount, which means that sponsorships now start at less than $80.

Questions? Don’t hesitate to reach out:[email protected] 

FAST is booming, 2024 edition

Free, ad-supported streaming TV channels, or FAST channels, as insiders like to call them, continue to be one of the streaming industry’s big success stories. That’s according to the latest numbers from Amagi, which published its 10th Global FAST report this week.

However, growth of FAST has been uneven across regions, with signs hinting at a possible plateau in North America:

  • FAST channel viewing hours were up 26% globally in Q4 when compared with the same quarter in 2022, according to the report.

  • Even better news for publishers and their partners: Ad impressions grew 28% over the same time frame.

  • Viewing hours growth was the biggest in the APAC region with 130%, followed by Latin America with 43% and EMEA with 37%. However, in the U.S. and Canada, hours only grew by 5%.

  • The average duration of a FAST viewing session grew by 3% globally in Q4, with again strong growth in the APAC and LATAM regions. In the U.S. and Canada, average FAST viewing session length declined by 5%.

  • Globally, people watched around 5 minutes of FAST programming per session on average.

The entire report also includes data on the most popular genres on FAST, predictions for FAST advertising spending and more. Just keep in mind that Amagi is one of the major FAST cloud vendors, and as such has a vested interest in the success of this industry.

What else

WWE Raw is moving to Netflix. Execs of the streamer keep insisting that they’re not doing traditional live sports, with co-CEO Ted Sarandos calling WWE “sports entertainment.” Semantics aside, this latest deal is a big loss for USA Network.

Sumo wrestling is getting the FAST treatment. Sumo wrestling may not be as popular as WWE-style wrestling, but this is a smart niche move: The Swerve Combat FAST channel will begin airing exclusive Sumo action starting this Thursday.

Netflix added 13.1 million subscribers in Q4. The 2023 holiday quarter was Netflix’s best fourth quarter ever.

Apple Vision Pro pre-orders estimated to be around 170,000. Influential supply chain analyst Ming-Chi Kuo estimates that Apple customers preordered 160,00-180,000 Vision Pro headsets.

Titan’s new smart TV platform is now official. Remember my recent scoop about Titan OS? The company behind it officially unveiled it on Monday.

HBO Max keeps changing its name to Max. The rebranding, which first happened in the U.S. in May, is now being extended to markets in Latin America and the Caribbean.

Twitch is tweaking its monetization rules. Popular streamers could be making more, while others may be getting a pay cut.

VR game Ghosts Of Tabor makes $10 million in beta. The game attracted 500,000 players, and $10 million in revenue, before even launching on Meta’s Quest Store.

Tubefilter serves up creator news since 2007. The pioneering creator news site is now on Beehiiv. Click here to subscribe to the free Tubefilter newsletter. (SPONSORED)

That’s it

Here’s a show that I’ve enjoyed watching this month: Creamerie on Hulu is a post-pandemic comedy that plays in a world in which 99.9% of all men have died — putting a premium on, well, bodily fluids that guarantee the survival of humanity. It’s dark, it’s raunchy, and also very, very funny.

Thanks for reading, have a great weekend!

Image source: Roku

Join the conversation

or to participate.