For people who are trapped in their homes due to coronavirus, games have become an important way to escape into other worlds, relieve boredom, and connect with other people. We’ve seen couples get married on Animal Crossing, students recreate their campus on Minecraft, and millions of people work out their tension on Call of Duty, one skirmish at a time.
This surging demand represents a pivotal moment for the gaming industry: can it rise to the occasion and provide a public service without compromising security or buckling under the strain?
Coronavirus Has Made Everyone a Gamer
Demand has surged most in places where coronavirus has hit hardest and where social distancing requirements have been most severe.
In Italy, one telecom company reported an over 70% increase in online traffic, which they attribute largely to online gaming (especially Fortnite). In the UK, the latest installment of Animal Crossing sold more copies in its first week than the combined launch sales of every prior game in the series combined. And even when people aren’t playing, they’re watching; Twitch saw a 31% increase in viewers from March 8 to March 22. With professional sports canceled, it’s literally the only game in town.
The gaming industry, which has weathered its fair share of controversies in the past, now finds itself a major player in the effort to safeguard public health. The World Health Organization (WHO) has supported gaming with its #PlayApartTogether campaign, which over 50 gaming companies have joined.
Individual game developers are doing their part to support social distancing measures. World of Warcraft is encouraging players to stay inside by offering double XP through April 20. Three of the UK’s biggest developers (which boast massively popular titles like Candy Crush) have inserted “Stay Home. Save Lives” on their launch pages or directly in their games.
Source: Codemasters’ DiRT Rally 2.0.
Gaming Companies Struggle to Scale
The unprecedented interest in gaming is good for social distancing, but it’s also testing the resilience of individual platforms and the internet as a whole.
The spike in traffic from games, streaming video, and people working from home has created a digital traffic jam, even as physical highways are empty. The New York Times reports that coronavirus has led to a 24% drop in median download speeds in New York, while one city in California saw a 38% drop. In response, gaming companies are trying to ease the burden. Xbox has requested that developers release updates only during a specific late-night window in North America and only on weekdays.
There’s been an industry-wide surge in crashes and outages as games struggle to absorb the demand. Fortnite acknowledged server outages and “issues with logins, matchmaking, the Item Shop, and other Fortnite services.” Blizzard, the makers of World of Warcraft, apologized to Chinese gamers for long lines and performance issues. And the mobile game Plague Inc. found itself overrun by 130 million players, which crashed its website and prompted the game’s developer to release a statement cautioning people that “Plague Inc. is a game, not a scientific model.”
"Staying at home to stay safe during #covid has sparked a rise in online gaming — and attracted the attention of hackers. Find out how companies can handle the spike in traffic while managing the increased need for security."
Many games, especially from smaller developers, simply weren’t designed to have to scale at this speed. In-house identity systems are proving to be particularly weak spots. Tencent’s Honor of Kings experienced outages in China when 100 million users started trying to log in each day, overwhelming a system that usually deals with 60 to 70 million daily active users.
As developers run into the limits of their legacy identity and access management (IAM) systems, they’re confronted with a choice: patch up the holes as they go or offload identity onto a third party. In making that choice, gaming companies need to think past the current crisis. After all, even once COVID-19 recedes, plenty of the people who discovered gaming under quarantine will keep at it, creating a new normal. In that new world, outsourcing identity will free up developers to deal with the myriad demands of rapid scaling instead of struggling to expand databases and configure SSO integrations.
As Gaming Demand Spikes, So Do Security Risks
Security was already a growing issue in gaming before the coronavirus, but the pandemic has added urgency to the issue. In a 2019 McAfee survey, 75% of PC gamers cited security as their number one concern about the future of gaming. They’re concerned with good reason since 64% said they had been affected by a cyberattack or knew someone who had. Despite this concern, gamers are often at risk. The same survey found that 55% of gamers reuse passwords on accounts, making them vulnerable to credential stuffing attacks.
In credential stuffing attacks, hackers attack using stolen or commonly reused login credentials. Once they’ve gained control, hackers sell or trade the accounts or sell off a player’s unique items. This is potentially lucrative and widespread; Akamai cites a BBC report that children as young as 14 are making thousands of dollars per week selling and trading accounts.
Phishing scams are another way hackers steal the credentials of legitimate players. Cybercriminals will set up a fake login screen that looks just like the real thing or send fake in-game messages demanding users share their login information.
"The primary advantage of @Auth0’s MFA is that it doesn’t force companies or players to choose between security and a seamless experience, helping gaming companies protect their flood of new gamers."
These security threats are greatly magnified by the coronavirus. The huge influx of new gamers is less familiar with login protocols and more likely to be fooled by an official-looking popup asking them to enter their email and password.
The best safeguard against these threats is multi-factor authentication (MFA). Historically, many gaming companies have been reluctant to implement MFA for fear of disrupting players and introducing friction. Some games have given players the option of enabling MFA, and Fortnite even tried to drive adoption by giving rewards to players who turned it on.
But one of the primary advantages of Auth0’s MFA is that it doesn’t force companies or players to choose between security and a seamless experience. You can choose the precise conditions under which to request MFA (for example, when making a purchase) and pick the authentication method that makes sense for your users.
The other element to protecting users from credential stuffing attacks is alerting them when their credentials have been compromised. Auth0’s breached password detection maintains a constantly updated database of stolen credentials and will proactively notify users if their information has been stolen in a third-party breach. It also gives companies the option of automatically logging out those users until they can set a new (hopefully, unique) password. Best of all, for gaming companies that need security solutions in a hurry? You can enable it by flipping a single toggle.
Battlefy, which lets organizers create esports events, chose Auth0 as their identity service provider largely for security reasons. With it, they’ve been able to stop storing sensitive information like password hashes in their own databases. They’ve also used Auth0’s breached password detection to communicate with users during a security threat.
Putting in the Work to Let People Play
By and large, the gaming industry is rising to the challenge of the current moment. But the systems we put in place today shouldn’t just be designed to get us through the coronavirus crisis; they should build resiliency to prepare the industry for a new era.
With the right tools and the right mindset, gaming will come out of this moment more secure and more equipped to handle spikes in demand. Because even once people are allowed to leave their homes, many will keep going back to the pixelated worlds they’re discovering right now.
To learn more about how Auth0 can help gaming companies welcome new users and fend off attacks, please reach out to our team.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and development teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.