The Shared Account Challenge: Best Practices for Securing Food Delivery Apps

Paid digital services are becoming more and more of a mainstay in our everyday lives, impacting market verticals everywhere from media streaming to food delivery apps to ecommerce websites. Netflix recently made headlines for its controversial attempts to limit account sharing amongst its 230.7 million subscribed users. For a streaming company like Netflix, the problem with account sharing is obvious: when users share accounts among multiple people, including ones that aren’t part of their household, the streaming platform loses money.

For a food delivery app, the problems with account sharing are slightly different. While users on the consumer side might certainly share accounts to take advantage of subscriber privileges without paying for multiple subscriptions, food delivery companies also have to think about multi-accounting on the driver or courier side of the app.

For some delivery apps, like Deliveroo UK, driver substitutions are a recognized and legitimate feature of the app intended to give contractors more control over how they work. For others, like most American food delivery platforms, shared driver accounts represent a policy violation and a significant threat to Trust & Safety. 

Why do some drivers use shared accounts on food delivery apps? 

There are both legitimate and illegitimate reasons why a driver might share an account with another person or allow a different driver to act as substitute under their account details. For example, shared accounts can be used legitimately to cover drivers who want to take a sick day, go on vacation, or find themselves otherwise indisposed to work their normal delivery hours. For the substitute, this has the benefit of allowing them short-term gig work without the time investment of signing up for their own account and all of the associated red tape. For the driver, they may request a portion of what the substitute earns using their account, meaning they make passive income even when not actively using their driver account to make deliveries. In that case, appointing a substitute driver to use their account can be a legitimate use of the practice.

From the platform’s perspective, this approach allows drivers to curate their own work experience, which is one of the primary draws of contracted gig work. In the words of the Deliveroo UK website, one food delivery platform that allows driver substitutions, “Working flexibly with Deliveroo means you choose exactly how you work. As outlined in your supplier agreement, this includes being able to choose to appoint other people to complete orders for you.”

Unfortunately, however, shared driver accounts also represent loopholes for bad actors to take advantage.

When account sharing becomes a tool for bad actors  

For most food delivery apps in the United States, account sharing is recognized as a policy violation and a security vulnerability because it denies app administrators the oversight they need to implement critical Trust & Safety measures.

Food delivery apps like Uber Eats and DoorDash conduct identity and background checks on their drivers, meaning that people with prior criminal records or without proper work authorization wouldn’t be able to work as drivers. Identity checks also help to prevent drivers who were previously banned for criminal or offensive activity from rejoining the platform.

In these cases, drivers can use account sharing to bypass these ID checks and protections. First, someone goes through the verification process legitimately. Then, they loan out their account and app access to one or more other people who otherwise wouldn’t have been able to take orders and work under the app’s infrastructure. Because this type of account sharing essentially robs the platform of much of its driver oversight, it can represent a significant hole in security.

For example, in this case from Los Angeles, a driver different from the one pictured in the Uber Eats driver profile delivered a woman’s food before robbing her apartment complex’s mailboxes of packages.

In addition to the safety risks of such situations, there’s also a significant reputational risk to the food delivery app, as most customers will hold them responsible for the actions of drivers, even ones that are unauthorized. 

How multi-factor authentication can prevent shared accounts 

Fortunately, there are tools that delivery apps can use to prevent unauthorized account sharing. Multi-factor authentication can help prevent account sharing by doing precisely what it’s designed for: preventing unauthorized access to a driver account by someone other than the account owner. There are a few different authentication factors that can be used in combination to prevent shared driver accounts, including SMS codes, device intelligence, knowledge-based authentication, and real-time location data.

Location and device intelligence are among the strongest factors because they’re harder to spoof or circumnavigate, especially when used together. The vulnerability of factors like OTP codes via SMS and email to social engineering, phishing, or intentional sharing may explain why apps that already employ MFA are still seeing problems with account sharing.

On the contrary, factors like device intelligence and location behavior are much more difficult to share or replicate across different user devices, meaning that an unauthorized person trying to share a driver account won’t be able to authenticate, even if the owner of that driver account shares other necessary credentials like usernames and passwords.

Location behavior works by using a combination of signals like cellular networks, GPS, WiFi, and other device signals to identify an individual’s precise location as well as their “trusted” locations, typically meaning work or home. The way a person moves through the real world with a device is extremely individual, meaning this behavior data can be used to make a location “fingerprint” for identifying that individual.

As an added measure, device intelligence takes note of things like screen resolution, operating system version, apps, and other identifiers to create a unique image of a device. Even if the device is reset, location behavior can still identify it, making these two technologies incredibly resilient as a combination approach.

When consumers schedule a food or grocery delivery, they expect that the driver they see on their phone will be the person who shows up at their doorstep. When they aren’t, this undermines the app’s reputation and the customer’s trust in that platform.

Implementing multi-factor authentication, particularly tamper-resilient factors like location and device intelligence, helps safeguard driver accounts and restore the platform’s Trust & Safety capabilities.

To learn about how Incognia’s location technology helped one food delivery platform reduce fake account creation by 51% from one month to the next, find the case study here.