iOS Games and User Authentication
April 10, 2013 9:01 AM Subscribe
What is the best practice in iOS game or app development for authenticating a user when using a 3rd party server for progress/score/status data storage?
So I'm building this game in which we are storing some player data on Amazon EC2. This is a critical client requirement (I won't get into why - I've fought that battle and lost) and is non-negotiable at this point. This means I can't use GameCenter for authentication because I have to go out to 3rd party (amazon). Right now my developers have designed a system that asks the player for a username, AN EMAIL ADDRESS and a password. This to me is anathema. The client is also wary of using Facebook Connect (although that may be our fallback option). So all that said, what are the existing best practices for making sure a user is a real user and not bot and authenticating against a 3rd party server WITHOUT asking the player for an email address?
So I'm building this game in which we are storing some player data on Amazon EC2. This is a critical client requirement (I won't get into why - I've fought that battle and lost) and is non-negotiable at this point. This means I can't use GameCenter for authentication because I have to go out to 3rd party (amazon). Right now my developers have designed a system that asks the player for a username, AN EMAIL ADDRESS and a password. This to me is anathema. The client is also wary of using Facebook Connect (although that may be our fallback option). So all that said, what are the existing best practices for making sure a user is a real user and not bot and authenticating against a 3rd party server WITHOUT asking the player for an email address?
Response by poster: well it's not about the bot playing the game, it's about someone spamming the user registration page a million times and basically shutting us down.
posted by spicynuts at 9:09 AM on April 10, 2013
posted by spicynuts at 9:09 AM on April 10, 2013
it's about someone spamming the user registration page a million times and basically shutting us down.
Ah. So you don't really care if it's a bot, you care if you're getting (more or less)DoSed? You might want something like Fail2ban, which will temporarily block offending IP addresses.
posted by Nonsteroidal Anti-Inflammatory Drug at 9:17 AM on April 10, 2013
Ah. So you don't really care if it's a bot, you care if you're getting (more or less)DoSed? You might want something like Fail2ban, which will temporarily block offending IP addresses.
posted by Nonsteroidal Anti-Inflammatory Drug at 9:17 AM on April 10, 2013
well it's not about the bot playing the game, it's about someone spamming the user registration page a million times and basically shutting us down.
Yeah but... you're registering them from within an app, right? Your app? Which you could limit to how frequently it tries to register?
posted by Tomorrowful at 9:21 AM on April 10, 2013
Yeah but... you're registering them from within an app, right? Your app? Which you could limit to how frequently it tries to register?
posted by Tomorrowful at 9:21 AM on April 10, 2013
you're registering them from within an app, right? Your app? Which you could limit to how frequently it tries to register?
Presumably the app doesn't have a "repeatedly try to register fast enough to cause a DDOS" button in it anyway, nobody is going to DDOS anybody by tapping "register" really, really fast on an iPhone. If such an attack occurs, it occurs by someone simulating the same network traffic that the app would send from a computer that can do the same thing thousands of times per second.
It's sort of moot, anyway, though. I can spam your user registration page a thousand times per second with garbage and it will still slow your servers down handling my junk requests. It doesn't matter if I have valid email addresses or not.
posted by tylerkaraszewski at 9:46 AM on April 10, 2013
Presumably the app doesn't have a "repeatedly try to register fast enough to cause a DDOS" button in it anyway, nobody is going to DDOS anybody by tapping "register" really, really fast on an iPhone. If such an attack occurs, it occurs by someone simulating the same network traffic that the app would send from a computer that can do the same thing thousands of times per second.
It's sort of moot, anyway, though. I can spam your user registration page a thousand times per second with garbage and it will still slow your servers down handling my junk requests. It doesn't matter if I have valid email addresses or not.
posted by tylerkaraszewski at 9:46 AM on April 10, 2013
How can you ensure a human registers, without a 3rd party validation service or a (unique?) email address? The usual answer to that is to use a CAPTCHA.
posted by Ookseer at 11:23 AM on April 10, 2013
posted by Ookseer at 11:23 AM on April 10, 2013
I'm super confused as to why you can't use Game Center.
Store your data in EC2 however you'd like - just set up your player model like
Player { GameCenterPlayerID: XXXXXX, any:other,fields:you:want}
Just let GameCenter or Facebook Connect or whatever handle the authentication.
And you store the GameCenter player ID and any session auth tokens.
But store any other data, any other way you want.
posted by patrickje at 4:10 PM on April 15, 2013
Store your data in EC2 however you'd like - just set up your player model like
Player { GameCenterPlayerID: XXXXXX, any:other,fields:you:want}
Just let GameCenter or Facebook Connect or whatever handle the authentication.
And you store the GameCenter player ID and any session auth tokens.
But store any other data, any other way you want.
posted by patrickje at 4:10 PM on April 15, 2013
This thread is closed to new comments.
I bet it's probably beyond what you can argue, but I'd seriously question why in the world you care whether a bot is playing your game. Who's going to bother building a bot to play an iOS game? If they do, are you seriously afraid that enough of your userbase will be bots that it'll meaningfully impact your bottom line?
posted by Tomorrowful at 9:07 AM on April 10, 2013