Other Software > Developer's Corner
How to seamlessly verify a unique identity without requiring username/password?
Deozaan:
OK so here's the situation:
I program games. Nothing fancy. Nothing popular. Nothing that anybody except my mom has played. (Thanks, mom!)
But I do occasionally have ideas for games that would work better with certain "community" features. A few examples:
* Cloud saves.
* A game with a level editor, where players can submit and download user created levels.
* A racing game where not only are best racing times recorded (leaderboards), but also "ghosts" which you can download and race against.
* Asynchronous turn-based games that will require some sort of account system to keep track of who is playing against who, and prevent players from playing games/turns they shouldn't have access to.
* Friends lists to make it easier to start a game with people you know.
* A game with automatic matchmaking based on an Elo-like rating systemw.
Naturally, I'd need some sort of database/account system to keep track of which data belonged to which player. But I really don't want to make the players of my games have to deal with creating yet another account, or deal with password resets or things like that. I just need to verify that the player is who they say they are, and then let them play. This should be a one time process, per device/profile. i.e., if they install my game on their Android device, they'll need to authenticate once, then the app itself will store the token locally and access their game data that way. But if they also install the game on their PC, they'll need to authenticate once on the PC, too. And if they make another profile on the PC (if I am smrat and make the game support multiple profiles) then the profile will need to be authenticated for the new person.
I don't want or need any personal information. If hackers get access to my database, I want it to only contain non-personal information. Only game related stuff like scores, ghosts, friends lists, games, etc. This way a security breach isn't really a problem. All the data will essentially be public anyway, so the only thing I'd need to be worried about is if the hackers decided to delete the data.
Yes, there are third-party solutions that offer leaderboards and the like, but in my experience both as a player and as a developer, they have 2-3 big problems:
1. They are unreliable, smaller companies which disappear after a year or two, thus breaking all game functionality that relied on them.
2. They are reliable, huge companies (Google, Steam, Apple) but are not cross-platform.
3. They are reliable companies, but charge more money than I'm willing to pay since it's just going to be my mom playing my games.
My thoughts were to use OpenID, but that was designed to be used in the web browser, redirecting to the provider's page, then back to the content. I can't exactly do that from within a game. So maybe I want to use OAuth? Even then, I'm not sure. This is because, again, I don't wan't access to any of their account information from the OAuth provider. I just want a way to verify they are a specific, unique person, then automatically access their game account details from there.
In other words, once they are logged in, the account information would be mostly behind the scenes. I'm thinking that all I'd need is a unique token that never changes (so they can login again after a reinstall or on another device) and that token will be the key/index to the rest of their account information in my database.
Am I going about this the right way? If so, how would I go about using an already existing service provider to provide me with a token which I could then tie to the player's account, without requiring the player to create a username/password to login with every time they launch my game? I think I could even use something like a time-limited code (like what we often see in 2-factor authentication) so that they only need to type in a relatively short numeric code and it will grab all their details automatically. But again, the question is how do I do this seamlessly from within the game, without requiring them to use a browser for authentication?
So what should I use? OpenID? OAuth? WebID? Persona? Something else entirely?
mouser:
It seems like these days another common solution is to let people "log in" and identify themselves via their facebook/twitter/google id.
Deozaan:
It seems like these days another common solution is to let people "log in" and identify themselves via their facebook/twitter/google id.
-mouser (January 06, 2014, 07:15 PM)
--- End quote ---
I think that's part of OAuth or OpenID.
kamahl:
I think that's part of OAuth or OpenID.
-Deozaan (January 06, 2014, 07:24 PM)
--- End quote ---
You can do it with both. OAuth would be much more useful for a non-browser app.
However, my solution would be this:
* Each device/profile gets a GUID on first run.
* Player is prompted to link profile to an email address.
* If they do, send a confirmation email, and add the GUID to a database: [Email address]<[GUIDs]
* Merge data from local profile to email address
The profile ID is a unique identifier. This essentially means you don't need a password, because having the device is enough proof.
Linking to an email address should be optional. Only required if a user wishes to merge to GUIDs into a single profile.
Other than a once off association (Which is optional), the user doesn't need to see the login process again.
Shades:
Sounds like you want to use a certificate based setup. This is a lot of hassle for the one handing out certificates and these need to be of sufficient strength (read: quite costly in computing resources to generate) and it would be better if these certificates aren't valid for a long period of time.
Once setup the procedure for logging in is not that difficult anymore, but getting this properly setup is. You also have to convince the players that your certificates are trustworthy...especially if you generate the whole chain yourself. If you don't want to do this, there are services that can do this for you, but there will be costs involved.
Doing this on a personal level is already quite expensive, on commercial level it becomes very quick very(!) expensive. VeriSign is one of the biggest certificate vendors you'll find. Very expensive, but the least problematic to setup as most, if not all OS's, come with this as standard. Checking for the certificate and for example a MAC address that belongs with this certificate is relatively easy for the one doing the authorization and the user will hardly notice anything from the log in procedure.
Though faking a MAC address is easy, the strength of the authorization lies in the combination of the certificate and the MAC address check.
A good example of this would be how a VPN authorizes a computer to be allowed on its network. That check is done early in the full authorization process. After that the user needs to fill in a user name and password to complete the full authorization process.
Navigation
[0] Message Index
[#] Next page
Go to full version