Goes from static credentials and VPN to Duo Security cloud system
Candy Crush publisher King has become one of the first global brands to deploy cloud two-factor authentication (2FA) technology as a standard security protection for almost all of its employees.
The technology has tended to be used on a departmental basis for organisations such as the military, government or finance that see simple credentials as a security risk. But its adoption in the mainstream is spreading as successful cyberattacks have undermined confidence in established approaches.
King started using the online service from Duo Security in late 2014 for a small portion of its workforce connecting to the firm via VPN since when it has been rolled out to total of around 1,500 people, about 70 percent of its employees.
The motivations covered a number of concerns but a primary issue was the rapid growth of the company, which has come to be seen as the UK's most successful ever software startup after an IPO in 2014 valued the firm at around $7 billion. Late in 2015, King and its stable of famous mobile games such as Candy Crush Saga and Bubble Witch Saga, was acquired by Activision Blizzard for $5.9 billion.
The expansion forced King to look for a security solution that would scale without complications such as the need to use a software agent. The firm had previously used static credentials and digital certificates managed through its VPN, but this was complicated to administer. It later experimented with Google Authenticator but according to King's head of information security, Giacomo Collini, found that brought new difficulties.
Users access the VPN as normal before authenticating using the 'Duo Push' app that sits on their registered smartphone (the second factor). Other forms of authentication are supported (tokens, SMS passcodes) but this approach makes authentication easier without compromising security.
"King was growing a lot and we needed a system that could scale and was automated," says Collini, whose team assessed Duo Security's alternative in a matter of weeks.
A complication is that King must authenticate its users for a variety of cloud applications such as Google Drive, Single Sign On (SSO) in a network environment managed through Windows Active Directory. Duo's system was able to support these requirements. This applied to office-based employees as well as remote workers.
"In king we have a cloud-friendly culture. In principle just because it's cloud doesn't mean it's less secure. You transfer some of the ownership of the management but the cloud doesn't start behind from on premise solutions," says Collini.
"Static credentials are a huge risk and for sure a 2FA mitigates that risk. 2FA help to mitigate the demands of some password policy."
Sign up for CIO Asia eNewsletters.