How Roku’s quest for control hurts developers and consumers

If you ever installed a new app on your streaming device or smart TV, you may have run into this: Entering email addresses and passwords with your TV remote can be painful—especially for those secure passwords with lots of capital letters, numbers, and special characters. App publishers know this as well, and many of them have been looking for easier ways to authenticate their users. One approach, known as rendezvous linking, asks people to visit the publisher’s website with a phone or desktop PC, and then enter a string of four to six seemingly random letters. A few seconds later, the TV app automatically logs in. It’s unclear who exactly came up with this approach; some industry insiders I’ve talked to credit Roku with inventing rendezvous linking. However, in recent years, that very company has severely restricted the use of rendezvous linking. After first banning paid services from using it a few years ago, Roku eventually began telling developers that only so-called TV Everywhere apps (TV network apps linked to a consumer’s pay TV subscription) are allowed to use rendezvous linking. Roku’s restrictions make its user experience worse. It’s not just the pain of entering credentials with a TV remote. Forcing people to log in on-device also effectively punishes people who have used another platform to sign up for a service. This includes people who used Google, Facebook, or Apple logins to sign up for streaming services without ever creating a password. That’s what appears to have happened to Reddit user PHATsakk43, who signed up for Plex’s streaming service with their Apple ID without ever creating a dedicated Plex password. After accidentally deleting the Plex app from their Roku streaming device, the user couldn’t figure out how to log in again, looking in vain for the previously-available short code for rendezvous linking. Asking for help on Reddit, PHATsakk43 was told by another user that they had to go to Plex’s website, create a password, and then use that password to log in on Roku. “This is super clunky and hard to teach to non tech users,” another Reddit user added. App release notes suggest that Plex was forced to move away from rendezvous linking last summer. “From our perspective, it is a bit of a step backward for the end user,” a Plex spokesperson told me when asked about this. “Our concern is that it could lead to users choosing simpler, less secure passwords. It also makes it impossible to use third-party auth services (like Google Auth), which eliminates two-factor auth options.” A number of Plex users also complained about these restrictions on Plex’s forum, with one of them writing: “This is the most stupid, infuriating change. It provides absolutely no benefit and merely inconveniences the user. It’s baffling that Roku would require this.” Roku’s login restrictions are just the latest attempt to keep users on-platform. Google and Apple have long tried to keep mobile users within the walls of their app stores, and often imposed rules that were meant to prevent app developers from sending their users to their websites. That’s because mobile app stores charge developers a 30% fee for each transaction. If developers could simply send users to their sites to purchase digital goods or subscriptions, they would be able to bypass those platform fees. Regulators are starting to crack down on these kinds of restrictions, but platform providers are trying hard to make off-platform transactions as unattractive as possible. Case in point: Apple recently began charging most developers a 27% fee for payments facilitated outside of the App Store. Roku imposes similar fees and restrictions on developers. Publishers who want to distribute their apps on Roku TVs or streaming devices have to agree to only use Roku’s own payment service, and not redirect their customers to any third-party payment services. The company takes a 20% fee on every transaction, regardless of whether consumers pay for a movie rental, subscribe to a streaming service, or buy a screensaver for their streaming device. That fee is lower than typical mobile app store fees, in part because Roku has optimized its business for advertising revenues. (Ad-supported streaming services have to give Roku access to at least 30% of their ad inventory.) If a publisher was redirecting consumers to their website when they sign into an app, the publisher could theoretically use that moment to also sell them a subscription, or facilitate another paid transaction, without having to fork over any money to Roku—something the company clearly doesn’t want. As a result, the company has been telling developers that “all channels must complete authentication entirely on-device to pass certification.” Roku hasn’t publicly said why it instituted these restrictions. Contacted for this article, a spokesperson referred to the company’s developer guidelines, but didn’t comment further. I’ve been told that the company ha

How Roku’s quest for control hurts developers and consumers

If you ever installed a new app on your streaming device or smart TV, you may have run into this: Entering email addresses and passwords with your TV remote can be painful—especially for those secure passwords with lots of capital letters, numbers, and special characters.

App publishers know this as well, and many of them have been looking for easier ways to authenticate their users. One approach, known as rendezvous linking, asks people to visit the publisher’s website with a phone or desktop PC, and then enter a string of four to six seemingly random letters. A few seconds later, the TV app automatically logs in.

It’s unclear who exactly came up with this approach; some industry insiders I’ve talked to credit Roku with inventing rendezvous linking. However, in recent years, that very company has severely restricted the use of rendezvous linking. After first banning paid services from using it a few years ago, Roku eventually began telling developers that only so-called TV Everywhere apps (TV network apps linked to a consumer’s pay TV subscription) are allowed to use rendezvous linking.

Roku’s restrictions make its user experience worse. It’s not just the pain of entering credentials with a TV remote. Forcing people to log in on-device also effectively punishes people who have used another platform to sign up for a service. This includes people who used Google, Facebook, or Apple logins to sign up for streaming services without ever creating a password.

That’s what appears to have happened to Reddit user PHATsakk43, who signed up for Plex’s streaming service with their Apple ID without ever creating a dedicated Plex password. After accidentally deleting the Plex app from their Roku streaming device, the user couldn’t figure out how to log in again, looking in vain for the previously-available short code for rendezvous linking.

Asking for help on Reddit, PHATsakk43 was told by another user that they had to go to Plex’s website, create a password, and then use that password to log in on Roku. “This is super clunky and hard to teach to non tech users,” another Reddit user added.

App release notes suggest that Plex was forced to move away from rendezvous linking last summer. “From our perspective, it is a bit of a step backward for the end user,” a Plex spokesperson told me when asked about this. “Our concern is that it could lead to users choosing simpler, less secure passwords. It also makes it impossible to use third-party auth services (like Google Auth), which eliminates two-factor auth options.”

A number of Plex users also complained about these restrictions on Plex’s forum, with one of them writing: “This is the most stupid, infuriating change. It provides absolutely no benefit and merely inconveniences the user. It’s baffling that Roku would require this.”

Roku’s login restrictions are just the latest attempt to keep users on-platform. Google and Apple have long tried to keep mobile users within the walls of their app stores, and often imposed rules that were meant to prevent app developers from sending their users to their websites.

That’s because mobile app stores charge developers a 30% fee for each transaction. If developers could simply send users to their sites to purchase digital goods or subscriptions, they would be able to bypass those platform fees.

Regulators are starting to crack down on these kinds of restrictions, but platform providers are trying hard to make off-platform transactions as unattractive as possible. Case in point: Apple recently began charging most developers a 27% fee for payments facilitated outside of the App Store.

Roku imposes similar fees and restrictions on developers. Publishers who want to distribute their apps on Roku TVs or streaming devices have to agree to only use Roku’s own payment service, and not redirect their customers to any third-party payment services.

The company takes a 20% fee on every transaction, regardless of whether consumers pay for a movie rental, subscribe to a streaming service, or buy a screensaver for their streaming device. That fee is lower than typical mobile app store fees, in part because Roku has optimized its business for advertising revenues. (Ad-supported streaming services have to give Roku access to at least 30% of their ad inventory.)

If a publisher was redirecting consumers to their website when they sign into an app, the publisher could theoretically use that moment to also sell them a subscription, or facilitate another paid transaction, without having to fork over any money to Roku—something the company clearly doesn’t want.

As a result, the company has been telling developers that “all channels must complete authentication entirely on-device to pass certification.”

Roku hasn’t publicly said why it instituted these restrictions. Contacted for this article, a spokesperson referred to the company’s developer guidelines, but didn’t comment further. I’ve been told that the company has in the past told developers that it was moving away from rendezvous linking due to security concerns. The gist of this argument: Consumers can make spelling errors when entering a web address into their browser, and domain squatters could use those errors to deceive users with fake websites meant to steal their credentials. That argument isn’t entirely without merits, but misspelled web addresses could be easily prevented with an on-screen QR code—a method that Roku also doesn’t allow.

And the argument goes both ways: Forcing consumers to enter their passwords on their TVs is inevitably going to lead to them using weaker passwords, or even using the same password for multiple services. (A tip for Roku users looking to stay safe: The company’s mobile app does make it possible to enter passwords more easily. When it’s working, that is.)

Ultimately, the security argument rings hollow. For proof that Roku’s restrictions on the use of rendezvous linking are motivated by financial aspects and not security concerns, look no further than to the company’s own Roku Channel streaming service. The Roku Channel Android TV app, which launched on smart TVs and streaming devices running Google’s software last summer, gives consumers the option to log in with their Roku accounts to keep their viewing progress synced across devices.

To make this process less painful, Roku is asking users of its Android TV app to visit the company’s website and use rendezvous linking.


This story originally appeared in the newsletter Lowpass. Sign up here.