How to seamlessly verify a unique identity without requiring username/password?

ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

How to seamlessly verify a unique identity without requiring username/password?

<< < (2/2)

Deozaan:
I think that's part of OAuth or OpenID.
-Deozaan (January 06, 2014, 07:24 PM)
--- End quote ---
You can do it with both. OAuth would be much more useful for a non-browser app.

However, my solution would be this:

* Each device/profile gets a GUID on first run.
* Player is prompted to link profile to an email address.
* If they do, send a confirmation email, and add the GUID to a database: [Email address]<[GUIDs]
* Merge data from local profile to email address
The profile ID is a unique identifier. This essentially means you don't need a password, because having the device is enough proof.
Linking to an email address should be optional. Only required if a user wishes to merge to GUIDs into a single profile.
Other than a once off association (Which is optional), the user doesn't need to see the login process again.
-kamahl (January 06, 2014, 07:41 PM)
--- End quote ---

This sounds very much like it could accomplish what I want to do. However, I see two potential problems with it:

1. I'd really prefer not to have any personal information about the players. This includes email addresses. Though I suppose I could store a seeded hash of the email address and compare it, and if it matches then merge accounts or whatever.
2. I hear stories about people changing some of their hardware (often their GPU) and it invalides their DRM-enabled program (usually a game) because they suddenly have a new GUID or something similar. Though I suppose I don't need to access the GUID every time the game runs. Just the first time to link to their online account and then I can simply store a reference to their account number or whatever and not rely on the GUID.

Are these problems anything I should even be concerned about? If so, do my own suggested solutions seem like they would reliably circumvent the problems? Are there other problems with my ideas that I should be aware of?

mouser:
You know this falls under the scope of things i'm trying to solve with my Mewlo system - to make it easier for people to create community-based custom web services.

kamahl:
I think that's part of OAuth or OpenID.
-Deozaan (January 06, 2014, 07:24 PM)
--- End quote ---
You can do it with both. OAuth would be much more useful for a non-browser app.

However, my solution would be this:

* Each device/profile gets a GUID on first run.
* Player is prompted to link profile to an email address.
* If they do, send a confirmation email, and add the GUID to a database: [Email address]<[GUIDs]
* Merge data from local profile to email address
The profile ID is a unique identifier. This essentially means you don't need a password, because having the device is enough proof.
Linking to an email address should be optional. Only required if a user wishes to merge to GUIDs into a single profile.
Other than a once off association (Which is optional), the user doesn't need to see the login process again.
-kamahl (January 06, 2014, 07:41 PM)
--- End quote ---

This sounds very much like it could accomplish what I want to do. However, I see two potential problems with it:

1. I'd really prefer not to have any personal information about the players. This includes email addresses. Though I suppose I could store a seeded hash of the email address and compare it, and if it matches then merge accounts or whatever.
2. I hear stories about people changing some of their hardware (often their GPU) and it invalides their DRM-enabled program (usually a game) because they suddenly have a new GUID or something similar. Though I suppose I don't need to access the GUID every time the game runs. Just the first time to link to their online account and then I can simply store a reference to their account number or whatever and not rely on the GUID.

Are these problems anything I should even be concerned about? If so, do my own suggested solutions seem like they would reliably circumvent the problems? Are there other problems with my ideas that I should be aware of?
-Deozaan (January 06, 2014, 10:08 PM)
--- End quote ---

I would recommend creating the GUID once, and then storing it, rather than trying to link it to hardware identifiers.
That way, as long as the user doesn't blow away the config files your UID won't change.

The reason I suggested email addresses is that they are something that would be personal enough that people can't impersonate you.
There would be nothing more irritating than if someone were to get their PC associated with my account, and sell all my items/get me banned from chat/other such effects.
A salted/hashed email is fine. Just as long as there is a way for the user to be sure nobody else can associate to their account without their knowing.

EDIT: If someone were to clone said config files, and impersonate your GUID, that would still be an issue. But such things can only really happen with physical access - And when that's true, it's generally easy enough bypass further restrictions anyway.

TaoPhoenix:
You know this falls under the scope of things i'm trying to solve with my Mewlo system - to make it easier for people to create community-based custom web services.
-mouser (January 06, 2014, 10:26 PM)
--- End quote ---

Random comment Mouser, sometimes a Framework gets so low level that no one actually works on it!

5% experience, see my pseudo-Nany, that no one touched.

Deozaan:
You know this falls under the scope of things i'm trying to solve with my Mewlo system - to make it easier for people to create community-based custom web services.
-mouser (January 06, 2014, 10:26 PM)
--- End quote ---

Yeah, it kind of does. But I think for a web service you can just integrate OAuth or OpenID (or both). Since you're already in the browser it's not that big of a deal to redirect to Google or Yahoo or Facebook or whatever asking for authorization and then redirect back to the Mewlo content to finish logging in.

But in my case, I want players from inside a fullscreen program (my games) or on mobile devices to be able to sync to their accounts without having to be redirected to a browser. And it's seeming to me like it would be a lot easier to have them type in their e-mail address, be sent a link they can click to associate their account with that e-mail, and have it all done automatically for them so they never even need to login.

This would require a few things on the server backend:

1. A new account would automatically be created for each device (GUID) the game was run on.
2. Accounts would need to be easily merged/linked to each other. (i.e. multiple GUIDs per user/email address). This includes non-destructive syncing, so that only the best data is synced (i.e. no progress is lost, best times/scores are not overwritten with worse ones, etc.)

I would recommend creating the GUID once, and then storing it, rather than trying to link it to hardware identifiers.
That way, as long as the user doesn't blow away the config files your UID won't change.-kamahl (January 06, 2014, 10:43 PM)
--- End quote ---

My question is more about how the GUID is created. I wouldn't know how to go about generating a guaranteed unique ID, but apparently that's already a feature Unity provides for me. I just don't know if it creates it using hardware identifiers or what. But I think I'd just store it, like you said, and only access it if/generate it if there's no data already there.

The reason I suggested email addresses is that they are something that would be personal enough that people can't impersonate you.
There would be nothing more irritating than if someone were to get their PC associated with my account, and sell all my items/get me banned from chat/other such effects.
A salted/hashed email is fine. Just as long as there is a way for the user to be sure nobody else can associate to their account without their knowing.

EDIT: If someone were to clone said config files, and impersonate your GUID, that would still be an issue. But such things can only really happen with physical access - And when that's true, it's generally easy enough bypass further restrictions anyway.
-kamahl (January 06, 2014, 10:43 PM)
--- End quote ---

So this is what I'm picturing would be necessary to do it this way:

1. On each device, they'd need to enter in their e-mail address.
2. They are sent an e-mail (for each device) to link the game to their account.
3. They click the link and the server adds a salted hash of the email address to that GUID, and if any other GUIDs have the same hash, all the GUIDs are linked into the same account.

This way if the server is ever compromised, there will be no personal information that can be used to ruin their life elsewhere. No passwords to use to login to their bank account (or whatever), no email addresses to spam, etc.

Navigation

[0] Message Index

[*] Previous page

Go to full version