Candy Crush Saga maker King deploys two-factor security across whole workforce

Goes from static credentials and VPN to Duo Security cloud system


Candy Crush publisher King has become one of the first global brands to deploy cloud two-factor authentication (2FA) technology as a standard security protection for almost all of its employees.

The technology has tended to be used on a departmental basis for organisations such as the military, government or finance that see simple credentials as a security risk. But its adoption in the mainstream is spreading as successful cyberattacks have undermined confidence in established approaches.


King started using the online service from Duo Security in late 2014 for a small portion of its workforce connecting to the firm via VPN since when it has been rolled out to total of around 1,500 people, about 70 percent of its employees.

The motivations covered a number of concerns but a primary issue was the rapid growth of the company, which has come to be seen as the UK’s most successful ever software startup after an IPO in 2014 valued the firm at around $7 billion. Late in 2015, King and its stable of famous mobile games such as Candy Crush Saga and Bubble Witch Saga, was acquired by Activision Blizzard for $5.9 billion.

The expansion forced King to look for a security solution that would scale without complications such as the need to use a software agent. The firm had previously used static credentials and digital certificates managed through its VPN, but this was complicated to administer. It later experimented with Google Authenticator but according to King’s head of information security, Giacomo Collini, found that brought new difficulties.

Users access the VPN as normal before authenticating using the ‘Duo Push’ app that sits on their registered smartphone (the second factor). Other forms of authentication are supported (tokens, SMS passcodes) but this approach makes authentication easier without compromising security.

“King was growing a lot and we needed a system that could scale and was automated,” says Collini, whose team assessed Duo Security’s alternative in a matter of weeks.

A complication is that King must authenticate its users for a variety of cloud applications such as Google Drive, Single Sign On (SSO) in a network environment managed through Windows Active Directory. Duo’s system was able to support these requirements. This applied to office-based employees as well as remote workers.

“In king we have a cloud-friendly culture. In principle just because it’s cloud doesn’t mean it’s less secure. You transfer some of the ownership of the management but the cloud doesn’t start behind from on premise solutions,” says Collini.

“Static credentials are a huge risk and for sure a 2FA mitigates that risk. 2FA help to mitigate the demands of some password policy.”

Having implemented 2FA across its entire operation, King gained in terms of its security policy compliance without having to use aggressive password management. Collini hasn’t revealed how often passwords had to be changed to maintain compliance but this requirement had been relaxed by using authentication.

Cost is more difficult to quantify because, in effect, King has added a new layer of security it did not previously have. How can the cost effectiveness of a security system ever be quantified?

Collini believes that using 2FA as a cloud service has saved in headcount not to mention that “the hidden costs would have been all over the place.” The company is now also able to grant and rescind access to third-party partners with an ease that would have been tricky using old-style credentials.

Candy Crush maker King - life of a startup

“We took a startup and transformed it into an enterprise,” points out Collini, which is an important point. It’s an extreme version of the journey every company has had to make in terms of security design and investment but that startups uniquely must tackle almost immediately if they have any ambitions to scale.

King’s adoption of Duo Security’s cloud authentication started out as a need to secure the perimeter to a higher standard of certainty but has ended up with something that allows that perimeter to be anywhere and for any of its employees.

An intriguing added dimension of the Duo Security design is the potential it offers for analytics, which Collini is keen to make use of. This is an authentication system for sure but one that can also examine the endpoint to see, for example, whether it is running out-of-date or vulnerable software. It can also be used to block access to applications from certain locations.

“The job is not done,” concludes Collini.

"Recommended For You"

You're mitigating the security vulnerabilities in authentication... How do you balance mobility and security in the modern workplace?