Pulse

Rob Griffin, MIRACL: how online gaming platforms can reconcile user experience with cybersecurity

By William - 10 November 2022

Cybersecurity and user experience have always been at odds. As attack rates soar, businesses have been forced to bolt on additional hurdles that users trying to log in have to surmount.

Regulators’ growing demands that customers and their data are subject to adequate security and controls have meant that the status-quo of a defunct password is not an option, despite the impact to ease of use.

Moreover, for industries that are rooted in the need to entertain their customers – such as online gaming – speed and accessibility are all-important.

To date, security solutions have therefore left these industries with a real problem that threatens the profitability, and even viability of their business. They need a simple, secure authentication technology.

Online gaming has enjoyed a remarkable surge in recent years. The loneliness, boredom and hopelessness of the COVID-19 lockdown encouraged many to turn to gaming for companionship, entertainment and escapism.

In March of 2020, Verizon revealed that online gaming traffic increased a staggering 75 per cent at the outbreak of COVID-19. So great was the pandemic’s impact that experts touted it as the mark of a new era for the industry.

However, as the old adage goes – more money, more problems. Just as online gaming established itself as the heir-apparent to the light entertainment throne, so too did it emerge as a favourite target for cybercriminals.

In fact, research published in 2021 revealed that the gaming industry saw a more significant increase in cyberattacks than any other industry throughout the pandemic.

The success of online gaming is reliant on three principles: Speed, impulsiveness and fun. Security controls, especially consumer facing protocols such as authentication, can dilute these principles, acting as a barrier to optimal user experience.

As competition within the sector heats up, it’s understandable that game providers aren’t willing to increase their time-to-game, or time-to-bet, by even a second.

Up until recently, the conflict between security and user experience has been largely internal and heavily mismatched.

Imagine a tired looking CISO appealing to the board for more stringent authentication, only to be shot down due to performance impacts for a fairly accurate picture. But in July of this year, for New Jersey gaming platforms at least, things changed.

The New Jersey legislature announced earlier this year that it was introducing new betting regulations mandating the use of Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for online gambling. For the first time, online gambling platforms were forced to put security first.

Before the security geeks get too excited, it’s worth pointing out that these regulations weren’t necessarily brought in to bolster the security of online gambling platforms. Sure, that was a secondary outcome, but it was really the problem of “messenger betting” that spurred legal action.

Messenger betting is when a secondary person places a bet in a legal jurisdiction under someone else’s account. The practice is a breach of both US Federal and New Jersey State law – but that doesn’t stop people from trying.

In 2020, Larry Porter placed a $3m bet on a three-leg parlay from his home in New Jersey on behalf of his friend Eric Stevens, a DraftKings VIP customer living in Jacksonville. The bet was simple enough: should Georgia, Alabama, and the Green Bay Packers win their respective divisions, Stevens would take home $5.5m.

Two weeks later, Stevens notices something strange. His account is frozen. DraftKings had figured out what he was up to and pulled him up on it. We’ve established that messenger betting violates state and federal law, but we should also note that it’s a breach of DraftKings’ company policy.

The twist? DraftKings knowingly allowed Stevens to messenger bet from their suite at the 2020 SuperBowl in Florida.

Long story short, the bet was terminated and DraftKings slapped with a $150,000 fine, which was widely criticised for being too low and “sending the wrong message”. However, the debacle had huge ramifications for the online gaming industry, ushering in the aforementioned MFA and 2FA regulations.

It’s important to remember here that New Jersey is the online gambling destination in the United States. While regulations introduced in a single US state may not seem particularly important, it’s likely that where New Jersey goes, others will follow. It’s not outside the realm of possibility that the Garden State is just the first card to fall.

With this in mind, it’s not a stretch to assume that mandated MFA is on the horizon. At long last, we may well see the odds stacked in favour of security. The question now is – how do organisations implement MFA without slowing down the login process?

The answer is single-step MFA.

But before we get into that, it’s worth taking a look at authentication as a whole, so we can better understand how we made it to a single-step.

There are three basic forms of authentication:

Single-factor – requires only one authentication factor, typically the humble password;
Two-factor – requires two authentication factors as evidence for successful end-user authentication;
Multi-factor – requires at least two authentication factors, meaning that 2FA is always MFA, but MFA isn’t necessarily 2FA.

The authentication factors, also known as verification factors, fall into one of three categories:

Things you know (such as a PIN);
Things you have (such as a smartphone or key);
Things you are (like a fingerprint).

Perhaps the best known forms of 2FA are via SMS and email. You have most likely used this authentication method, providing your email address or phone number before receiving a one-time code you use to log in. It counteracts simple password hacks but it’s extremely clunky. Users are far more likely to accept it for necessary evils such as online banking, not so much for leisure activities like online gaming.

Single-step MFA allows users to log in using nothing but a PIN or biometric, reducing the time-to-game, or time-to-bet, significantly when compared to traditional MFA. What’s more, single-step MFA reduces friction in account set-up and checkout processes – considering checkout friction accounts for about 40 per cent of cart abandonment, implementing single-step MFA could result in huge revenue boosts for online gaming platforms.

But how does single-step MFA work? Is it not an oxymoron? How can it be both single-step and multi-factor? The answer is simple – single-step MFA uses possession of a device, which is authorised to access the account, as one of the authentication factors.

So, the user reaps the benefits of MFA security, without having to jump through any additional hoops to log in. That means no more SMS, no more magic links, and users don’t even need a mobile phone to authenticate.

What’s more, implementing single-step MFA doesn’t mean sacrificing the security of traditional MFA. In fact, it is far more secure because firstly, possession of a device is far harder to make happen than obtaining a six digit code from an email or text message.

Secondly, unlike 90 per cent of MFA solutions, one-step MFA protects against all remote attacks such as phishing, credential stuffing, password spraying, replay and man-in-the-middle attacks. Combine all of these security benefits without having to sacrifice user experience for security, and you have the perfect authentication method for online gaming.

Regardless of whether the New Jersey regulations really are the harbinger of wider legislative action, one thing is clear – single-step multi-factor authentication is the future of online gaming verification.