Advertisement

User authentication without storing pw's

Started by March 04, 2018 05:58 PM
32 comments, last by hplus0603 6 years, 8 months ago

I think every program should have a way in using good-old-passwords because of accessibility (important in a game). I don't think it's worth it what you're asking for. Use a password authentication, then think in other fancy stuff. A secure-authentication-method is another thing that will come on top of this. Other things are as dicey or worse. 

Honestly, if you install on a PC, you may want to just store a long-lived session token on disk in some settings file, or perhaps better, the keyring of the operating system.

What, exactly, is there to steal in your game, really? The convenience of being able to keep playing is probably far more worth than whatever small protection you'd get by requiring the user to check email each time they want to play.

You could still have some management interface on the web that let the user invalidate any currently issued security token, so if they lose their computer or believe someone stole the key, they can do so using email.

enum Bool { True, False, FileNotFound };
Advertisement
21 hours ago, RnzCpp said:

I think every program should have a way in using good-old-passwords because of accessibility (important in a game). I don't think it's worth it what you're asking for. Use a password authentication, then think in other fancy stuff. A secure-authentication-method is another thing that will come on top of this. Other things are as dicey or worse. 

I'm so personally tired of passwords. Do you know how many sites/apps I have passwords to? It's just stupid. I don't reuse passwords because that's so insecure it's insane. I'm not organized enough to maintain some password app. I don't care about maintaining an account to a site/app. I just want the entertainment or information on the dang thing. All this account crap is a byproduct of security for me to get to the stuff I want and I'm personally so password fatigued  it's insane. The majority of sites I tell to keep me logged in and if for whatever reason it doesn't or invalidates and asks for my pw I have to do the forgot password feature. Basically my email and bank account are the only pw's I know by heart, but I bet I have up to 50 different sites/apps that require passwords. It's all too much. I'm trying to simplify that process in this sense because I feel everyone for sure knows their email pw. For me personally this is why I LOVE getting texted a 6 digit code to my phone to log into something. My phone is always on me and I get unlimited text message (who doesn't in 2018) and it's just easier than remembering all these passwords. So the irony of your statement is that I find it easier to get an access token some how than creating and maintaining an account to yet another thing.

21 hours ago, hplus0603 said:

Honestly, if you install on a PC, you may want to just store a long-lived session token on disk in some settings file, or perhaps better, the keyring of the operating system.

What, exactly, is there to steal in your game, really? The convenience of being able to keep playing is probably far more worth than whatever small protection you'd get by requiring the user to check email each time they want to play.

You could still have some management interface on the web that let the user invalidate any currently issued security token, so if they lose their computer or believe someone stole the key, they can do so using email.

Not that my game will most likely be worth much, but multiplayer desktop games in general require players to log in each time which I think is reasonable and more secure. Games represent time and if someone messes with that it's like they're messing with your time which nobody likes. I feel most PC gamers are rocking 2 monitors at least so it's nothing to have an email up on 1 and the game on another to copy and paste and if a game doesn't allow fullscreen windowed mode then screw that game I say :). Hate when they don't allow that.

It's something to think about though if not just for beta testing. I think ultimately going the Steam route is what I'll do as I'm not opposed to requiring steam. On the client you can request a session token from steam and then pass that to the server to again validate against the steam API to make sure it's a valid Token and then can get a bunch of user info from it. This way they just need to be logged into Steam to play so it's a similar idea of having a central app login used. It's always interesting to get others thoughts though.

3 minutes ago, rpiller said:

Not that my game will most likely be worth much, but multiplayer desktop games in general require players to log in each time which I think is reasonable and more secure.

I haven't been asked to log into Battle.net or Steam (those contain 99% of multiplayer games I play) yet this year, and we're well into March.

If either of those platforms decided to ask me for daily logins, I would be extremely unhappy. Let alone if individual games did...

Tristam MacDonald. Ex-BigTech Software Engineer. Future farmer. [https://trist.am]

Those aren't technically games but maybe it's been a long time since I've played WoW but that used to ask for my pw each time I launched it. Perhaps those tides are changing. I've been playing America's Army and that requests login each time.

Advertisement
1 minute ago, rpiller said:

it's been a long time since I've played WoW but that used to ask for my pw each time I launched it.

That went away a few years ago. You *can* authenticate manually on every login if you really want, but so long as you enable 2-fac auth and use the Blizzard launcher, it'll just log you in automatically (at least until they detect suspicious activity on your account).

And honestly, there's very little downside to this. The simple option is just to generate a unique certificate/key pair the first time your app launches on a given computer, and register it to the server on first login. Thereafter do public key auth to the server, until either the certificate expires, or the server rejects it.

Tristam MacDonald. Ex-BigTech Software Engineer. Future farmer. [https://trist.am]

2 hours ago, rpiller said:

I'm so personally tired of passwords. Do you know how many sites/apps I have passwords to? It's just stupid. I don't reuse passwords because that's so insecure it's insane. I'm not organized enough to maintain some password app. I don't care about maintaining an account to a site/app. I just want the entertainment or information on the dang thing. All this account crap is a byproduct of security for me to get to the stuff I want and I'm personally so password fatigued  it's insane. The majority of sites I tell to keep me logged in and if for whatever reason it doesn't or invalidates and asks for my pw I have to do the forgot password feature. Basically my email and bank account are the only pw's I know by heart, but I bet I have up to 50 different sites/apps that require passwords. It's all too much. I'm trying to simplify that process in this sense because I feel everyone for sure knows their email pw. For me personally this is why I LOVE getting texted a 6 digit code to my phone to log into something. My phone is always on me and I get unlimited text message (who doesn't in 2018) and it's just easier than remembering all these passwords. So the irony of your statement is that I find it easier to get an access token some how than creating and maintaining an account to yet another thing.

I found a reason to stay inside the matrix. But about tokens... I think it's arguble that time-based-passwords are better than one-time-passwords, yet I haven't seen a "dual time-based password" which would take the some of the annoyance of time-expiration. It's slower to type a token than something that's known.... and you require the smartphone! Tokens require the smartphone, some setting up, plus the app download, though I'm not totally up to date with this.

 

Two monitors is the vast minority of PC users. (One of the common surveys even measure this; I think Steam or Unity?)

Quote

Do you know how many sites/apps I have passwords to?

I highly recommend LastPass or 1password. They have good mobile and browser plug-ins, and for that one time you need to enter a password on a Playstation, the mobile app can show you the appropriate password in cleartext with numbers colored differently from letters (!)

For 99% of games, I would think that the best way to do this is actually generate a password on install/registration, and store it in the system keychain. Each time you start the game on the computer, log in with the stored password. If it fails, ask the user for a password, and store it again if it works.

Tell the user to give you an email address or phone number for account recovery/multi-device usage. If the user wants to set up a second device, or recover an account, then reset the password, and send the new password to the email address/phone number. The user can then plug that into both devices if desired. The good thing about this is that the user won't be able to re-use passwords, because you generate it on the server using a good random source! (The bad thing is that you send the password in cleartext through email / sms, but that's not much different from any other system that relies on email access at this level.)

Unless there is a real incentive to steal accounts (stealing epic items in a very successful MMO or corporate governance in Eve Online or whatever) then you probably don't need anything more than this. If you DO have real economic value, you're going to be successful and invested enough that you'll be able to let players opt in to 2-factor authentication.

enum Bool { True, False, FileNotFound };
14 hours ago, RnzCpp said:

It's slower to type a token than something that's known

I agree. Assuming you know your pw out of the other 20+ pw's you have. However, this is just another "thing" to remember/maintain.

 

14 hours ago, RnzCpp said:

and you require the smartphone

My personal feelings is that if this is an obstacle in 2018 then just shut'er down.

 

14 hours ago, RnzCpp said:

Tokens require the smartphone, some setting up, plus the app download

I know what you're thinking of with having an app and all and setting up but I'm not talking about those kids of tokens that refresh all the time and you have an app for. The tokens I'm referring to are emailed/texted to you and are 6 digits generally in length. You type that into the app you're trying to access and now you're logged in. Generally people still have accounts for this process and it is the 2nd step in a 2 step auth, but I'm questioning why it's not the only step here I guess. Especially when I'm seeing at least 1 bank & Amazon allowing this when you forgot your password instead of having to reset it. That kind of opened my eyes like, yeah why not do this. Getting that access code text'd to my phone and not having to reset my pw because I forgot it was sweet!

This topic is closed to new replies.

Advertisement