![]() You don't even need to go about getting a custom SSL cert. Many games use custom protocols, but most of these are incomplete (they have secure login, but no secure way to create/update an account, so they need the HTTPS service anyway) or are simply horrifically insecure. Having a simple HTTPS service for login is increasingly normal. I won't claim most traditional multiplayer games do this, because they don't, but I will claim that most online casual Web games do this.įor traditional (non-Web) games, facilitating this login procedure is possible by either embedding a browser (Awesomium, Chromium Embedded Framework, or straight up Webkit being popular choices) or by calling out to an external browser (this takes some more fanagling to get the auth cookie out of though, and isn't really any easier than embedding one of the aforementioned libraries).Ī typical example of this approach is any Facebook game. Your game server then needs only implement the portion of the protocol that receives a cookie from the user and asks the authentication service if the cookie is valid or not, which can be done with a simple HTTP in most cases. Those services take care of all the messy details of encrypting login traffic over the wire, securely storing login credentials, and validating user logins. ![]() They do require the ability to open a browser window and direct the user towards their services, but this is pretty easy to do on most non-console platforms, and of course trivial for Web games. Facebook and Google both have well-documented APIs (both based on standardized APIs, iirc) for authentication. This goes triple if you plan on having any kind of in-app purchases.Ī popular option - particularly for Web games, though it also works for traditional games - is to use a Web-based third-party authentication service. If you can, either avoid having a login at all, or use an existing third-party authentication service that users likely already have an account with. Users are sick to death of making a new account for every single site, service, and game out there, especially if they require any kind of email validation or the like. They might do so if they want to play your game badly enough, but having Yet Another Freaking Login to sign up for is going to just drive away many potential players. As a developer who knows better, the only ethical options are to properly secure your authentication process or to not have one at all.Īs some unsolicited but related advice, users don't want to be required to sign up for your game anyway. Even if you can claim that it's their fault for using poor Internet security habits, you're the one who will be held responsible if your game is used as an attack vector to steal users' login credentials. Users use the same password for your little game as they do for their Google account, Facebook account, bank account, and so on. Users are rarely enlightened when it comes to computer security. Specifically regarding the last bit of your question: No, it is never forgivable to have an insecure authentication system.
0 Comments
Leave a Reply. |