Jump to content
  • Advertisement

rpiller

Member
  • Content Count

    391
  • Joined

  • Last visited

Community Reputation

838 Good

About rpiller

  • Rank
    Member

Personal Information

  • Interests
    Programming

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. This is kind of what I was talking about before. Now we have apps to manage passwords that needs a password...I don't care about all these passwords. They are side effects of me wanting information/entertainment. There has to be a better way. In my view text me a reasonable length access code and I'll enter it. No more remembering any passwords and it's quick and easy. Everyone has a phone, everyone texts. I wish it worked like that and it seems to slowly be nudging that way. Can't come soon enough. I'll most likely be using Steams API though I guess. Pretty standard and accepted by most PC gamers.
  2. I agree. Assuming you know your pw out of the other 20+ pw's you have. However, this is just another "thing" to remember/maintain. My personal feelings is that if this is an obstacle in 2018 then just shut'er down. I know what you're thinking of with having an app and all and setting up but I'm not talking about those kids of tokens that refresh all the time and you have an app for. The tokens I'm referring to are emailed/texted to you and are 6 digits generally in length. You type that into the app you're trying to access and now you're logged in. Generally people still have accounts for this process and it is the 2nd step in a 2 step auth, but I'm questioning why it's not the only step here I guess. Especially when I'm seeing at least 1 bank & Amazon allowing this when you forgot your password instead of having to reset it. That kind of opened my eyes like, yeah why not do this. Getting that access code text'd to my phone and not having to reset my pw because I forgot it was sweet!
  3. Those aren't technically games but maybe it's been a long time since I've played WoW but that used to ask for my pw each time I launched it. Perhaps those tides are changing. I've been playing America's Army and that requests login each time.
  4. Not that my game will most likely be worth much, but multiplayer desktop games in general require players to log in each time which I think is reasonable and more secure. Games represent time and if someone messes with that it's like they're messing with your time which nobody likes. I feel most PC gamers are rocking 2 monitors at least so it's nothing to have an email up on 1 and the game on another to copy and paste and if a game doesn't allow fullscreen windowed mode then screw that game I say :). Hate when they don't allow that. It's something to think about though if not just for beta testing. I think ultimately going the Steam route is what I'll do as I'm not opposed to requiring steam. On the client you can request a session token from steam and then pass that to the server to again validate against the steam API to make sure it's a valid Token and then can get a bunch of user info from it. This way they just need to be logged into Steam to play so it's a similar idea of having a central app login used. It's always interesting to get others thoughts though.
  5. I'm so personally tired of passwords. Do you know how many sites/apps I have passwords to? It's just stupid. I don't reuse passwords because that's so insecure it's insane. I'm not organized enough to maintain some password app. I don't care about maintaining an account to a site/app. I just want the entertainment or information on the dang thing. All this account crap is a byproduct of security for me to get to the stuff I want and I'm personally so password fatigued it's insane. The majority of sites I tell to keep me logged in and if for whatever reason it doesn't or invalidates and asks for my pw I have to do the forgot password feature. Basically my email and bank account are the only pw's I know by heart, but I bet I have up to 50 different sites/apps that require passwords. It's all too much. I'm trying to simplify that process in this sense because I feel everyone for sure knows their email pw. For me personally this is why I LOVE getting texted a 6 digit code to my phone to log into something. My phone is always on me and I get unlimited text message (who doesn't in 2018) and it's just easier than remembering all these passwords. So the irony of your statement is that I find it easier to get an access token some how than creating and maintaining an account to yet another thing.
  6. The idea of having access tokens that expire in 15 mins is that people need to get their hands on it within that time and use it before you do (they are invalidated after usage in my system) and even then, they get a 1 time access to, in this game, a video game. If I add the phone text as 2 step that's 2 separate things to get a hold of in 15 mins and use. Highly unlikely. Steam gave me a 5 digit token to reset my pw. Amazon and at least 1 big bank allows you to logon completely with a 6 digit access token if you do "Forgot Password". All delivered through email and only good for a short amount of time. If you have people who know your email pw or sniffing your network traffic, yes you'll have issues. I agree. Edit: I've been looking at the Steam API as well since it has a method for this.
  7. Yep, that's what I meant. Bad wording if I said otherwise. The game is a PC game (not web) so I think it's valid if session tokens die after the game closes so I won't be storing them in anything but memory.
  8. I believe every company who stores PW's does it that way, yes. Yet when that news of a breach hits people are freaking out and that company takes a hit. I'd rather avoid that completely and be able to say we don't store any user pw's. That's the angle I'm playing here. The fact that your avg user doesn't care what the tech behind pw storage is. They just know, Sony got compromised and hackers have access to passwords! The sky is falling! Really, given enough time, having access to all that information a hacker can and will crack some of those pw's. Then the company sends the email "Change your passwords and if you used this pw for another change that too!". ick. Want to avoid.
  9. I really don't want to store user pw's for all the security reasons which I think are worse than the things you've listed. I keep coming back to the fact that sites that allow you to use social media logins all have the same issues my system has and it seems acceptable for all the sites and apps that use that and it's very common. If I use my email account for this site and my email gets compromised they can log into this site as me. If the transmission is compromised (encryption broken) there is nothing that can be done in any system. The only thing I see is trying to actually ID a person in the case they get a new email or device (if using phone) but perhaps I could use question/answer for that which is less sensitive then pw's. Would still hash those in the DB but still less sensitive.
  10. Same process. I'll for sure have a users table but it'll just have an email/phone field(s) so users are ID'd by their email only. I will for sure have to take a non spamming feature in since if someone knows you play this game and your email you use for it they could just keep requesting access tokens which we don't want but that should be easy enough to stop a spam of those. Once you're actually logged in any other requests for a token will be denied until you're logged out (which info is stored in memory of the app). Since this is just for authentication crashes or reboots causing a logout is fine with me I think. Scaling horizontally I think would just be servers can only play against people on those servers so we'd have a cap of users per server. If it even got to that point That's a good idea! Thanks for that. I will have a button they can press that will copy from the clipboard so this is perfect. The more I think of this the more I remember Amazon and a popular credit card site allowing a 6 temp digit access token instead of a password. I was shocked when I saw that option after pressing forgot password and it was slick. They were just using 6 digits!
  11. This brings up a good point. I was first thinking of storing the temp pw in the db user record, but I don't need to do that. I can just store it in memory of the running server app. Why do you say look at password hashing with the way I'm thinking. These "temp pw's" will be GUID's and stored in memory only on the server along with a 15 min timeout on them. When the user first connects it sends his email address that he enters into the app to the server. The server sends a new GUID to said email address. The user takes this GUID from his email address and enters this GUID into my game. That GUID goes to the server along with his email address again where the server validates the 2 match in the memory container (and also that it isn't expired) and now the user is logged in. I mean I guess I could hash the temp pw/guid that's stored in the memory of the server app for added protection. As long as the transmission is secured I guess I'm not seeing any security issues with this. As stated if someone gets into a persons email account they can already have access to anything that user granted OAuth access to before like every website in existence these days. So it's not as if OAuth protects against a persons email getting hacked which allows the granting of authorization on so many things.
  12. Everything gets stolen all the damn time. Even passwords to sites. I use google auth for this very site. If someone steals my email pw they can now log into this site as me. Same idea. That method I propose seems just as secure as a method used to access this site, but I suppose adding phone too would make it better.
  13. I have looked up on OAuth2. From my findings it seems like it's more for authorization of resources to another app but some people use it as authentication which some have declared not ideal and sort of a side effect and can easily be done incorrectly. Not to mention OAuth is a pain when you're not dealing with web technologies for games.
  14. And the worst that happens is you can't play my game under that account anymore as my game stores nothing else about the user. Of course have a way to call support and xfer account.
  15. I'm making a online game where I need to preserve some things for the players so each will have an account. However, I don't want to get into the business of storing user created passwords since that's dicey these days. So I was thinking what's the point of even asking for the user to create a password for most apps these days? With the advent of phone/email verification why not just have the user enter their e-mail address and id at registration time and then have the server create a temp pw good for 15 mins and then send it to that email address and have the player copy/paste that into the game to login? A phone number could be used as well. This is usually step 2 in a 2-step auth these days anyway so since it's, I'd say, more secure than the user generated pw per app, why not just make that the only step? I get the slight inconvenience but I think people are getting over that these days because of security and this step is becoming more popular. This seems like it passes the buck to the email provider and their security which will be better than what most people with an app come up with. To prevent someone who knows your email and the app from spamming, the system could track last temp pw try and only allow so many in an hour. Thoughts on this approach in terms of security?
  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!