April 27, 2021
Per the previous update shared on February 2, 2021 and as part of the full Asset QC user account audit we recently completed, we are partnering with our Information Security team to implement multi-factor authentication (MFA) for external users over the next year. Eventually this will apply to all partners accessing our studio applications, including Asset QC, Backlot, and Content Hub. However, since our Branded Content QC partners are a much smaller subset within our partner ecosystem, Asset Management will be piloting this with you all as a first step within Asset QC.
That being said, we do want to be mindful of any operational challenges this may pose for our partners. So, we would like to outline next steps, and then allow for a period of open feedback from our partners. This will be your opportunity to be candid and honest about any concerns you may have, so that we can work with our Info Sec team to address those and offer solutions to help mitigate before officially enabling MFA for all Asset QC users.
Assign each operator that needs to complete work within Asset QC with a unique email address. MFA will rely on a 1:1 relationship between email account and associated user. Any and all email distribution lists or group email addresses will be deactivated for Asset QC specifically.
For partners who are also operating within other studio applications, such as Backlot or Content Hub, we will still leave your email distros active for file shares/ downloads that are required as part of your other services for now.
We will simply remove Asset QC roles from those email distro accounts.
Unique email addresses do not need to reflect the real name of the operator, but if assigning an operator number or alias address, that email address can only be used by one person.
Once all user accounts have been migrated to single user email addresses, we would work with each partner to enable MFA for all Asset QC users.
There are currently two options for MFA:
Mobile device - each user account will be associated with an individual mobile device. This will require each user to download the third party app Duo Mobile to their device. When attempting to login to Asset QC (or any of our other studio applications) with an individual user account, that user will receive a prompt on their associated mobile device, which they will need to confirm before their login will be accepted.
YUBI key - This is a physical hardware USB key that will be connected to any physical workstations utilized to access our studio applications at your facility. When attempting to login to Asset QC (or any of our other studio applications) with an individual user account, that user will need to scan their fingerprint with the YUBI key connected to that station before their login will be accepted.
Our Info Sec team will provide these keys, but we will need a total count of all workstations and the corresponding operating system (Windows, Mac, or Linux) to know how many keys we need to provision.
Based on what is outlined above, we will be open to feedback for the next two weeks, with a deadline of May 14, before moving to finalize the plan. Please gather any questions, concerns, and suggestions you have around this and email Rob Krauss and I along with Eli Mezei from our Info Sec team (also cc’d) with those. We are also happy to schedule calls with any of our partners, who would prefer to have a larger discussion around our future content security. Thank you, and looking forward to hearing from each of you.