iOS Games and User Authentication
April 10, 2013 9:01 AM   Subscribe

What is the best practice in iOS game or app development for authenticating a user when using a 3rd party server for progress/score/status data storage?

So I'm building this game in which we are storing some player data on Amazon EC2. This is a critical client requirement (I won't get into why - I've fought that battle and lost) and is non-negotiable at this point. This means I can't use GameCenter for authentication because I have to go out to 3rd party (amazon). Right now my developers have designed a system that asks the player for a username, AN EMAIL ADDRESS and a password. This to me is anathema. The client is also wary of using Facebook Connect (although that may be our fallback option). So all that said, what are the existing best practices for making sure a user is a real user and not bot and authenticating against a 3rd party server WITHOUT asking the player for an email address?
posted by spicynuts to Computers & Internet (8 answers total) 2 users marked this as a favorite
 
Facebook Connect, with a reasonable minimal set of info you want to access, probably is your best bet. I'm sure as heck not going to hand over my email address to some random app that (from my perspective as a user) can't be bothered to use Game Center.

I bet it's probably beyond what you can argue, but I'd seriously question why in the world you care whether a bot is playing your game. Who's going to bother building a bot to play an iOS game? If they do, are you seriously afraid that enough of your userbase will be bots that it'll meaningfully impact your bottom line?
posted by Tomorrowful at 9:07 AM on April 10, 2013


Response by poster: well it's not about the bot playing the game, it's about someone spamming the user registration page a million times and basically shutting us down.
posted by spicynuts at 9:09 AM on April 10, 2013


it's about someone spamming the user registration page a million times and basically shutting us down.

Ah. So you don't really care if it's a bot, you care if you're getting (more or less)DoSed? You might want something like Fail2ban, which will temporarily block offending IP addresses.
posted by Nonsteroidal Anti-Inflammatory Drug at 9:17 AM on April 10, 2013


well it's not about the bot playing the game, it's about someone spamming the user registration page a million times and basically shutting us down.

Yeah but... you're registering them from within an app, right? Your app? Which you could limit to how frequently it tries to register?
posted by Tomorrowful at 9:21 AM on April 10, 2013


Response by poster: that's a good thought...
posted by spicynuts at 9:32 AM on April 10, 2013


you're registering them from within an app, right? Your app? Which you could limit to how frequently it tries to register?

Presumably the app doesn't have a "repeatedly try to register fast enough to cause a DDOS" button in it anyway, nobody is going to DDOS anybody by tapping "register" really, really fast on an iPhone. If such an attack occurs, it occurs by someone simulating the same network traffic that the app would send from a computer that can do the same thing thousands of times per second.

It's sort of moot, anyway, though. I can spam your user registration page a thousand times per second with garbage and it will still slow your servers down handling my junk requests. It doesn't matter if I have valid email addresses or not.
posted by tylerkaraszewski at 9:46 AM on April 10, 2013


How can you ensure a human registers, without a 3rd party validation service or a (unique?) email address? The usual answer to that is to use a CAPTCHA.
posted by Ookseer at 11:23 AM on April 10, 2013


I'm super confused as to why you can't use Game Center.

Store your data in EC2 however you'd like - just set up your player model like

Player { GameCenterPlayerID: XXXXXX, any:other,fields:you:want}

Just let GameCenter or Facebook Connect or whatever handle the authentication.
And you store the GameCenter player ID and any session auth tokens.
But store any other data, any other way you want.
posted by patrickje at 4:10 PM on April 15, 2013


« Older Healthy eating on a long train ride   |   OS X legal billing software Newer »
This thread is closed to new comments.