Reset Password
Existing players used to logging in with their character name and moo password must signup for a website account.
- Napoleon 49m
- SmokePotion 27s
- Vulkan 2h
- Ameliorative 3m
- Bruhlicious 7h Deine Mutter stinkt nach Erbrochenem und Bier.
a Mench 1h Doing a bit of everything.
- notloose 6h
And 26 more hiding and/or disguised

SMS User Verification
Because prohibiting VPNs is not a solution

Sindome prohibits VPN connections in order to dissuade banned players from circumventing with new accounts, but:

1. It's become clear this is not really working, since many banned players keep repeatedly being banned on new characters anyway; and,

2. Prohibiting VPNs is not good for users on many levels. Everyone should be using a VPN (especially so with such a hyper exposed protocol) and as the last data breach showed, there are some legitimate privacy concerns.

There is another option, and in fact the most common way that virtually all online services verify users and protect against bots and ban circumventions: SMS verification for account creation (or alternatively for membership).

This type of service is almost ideal from a privacy standpoint because many of them don't expose user data to anyone else, they just tell whoever is verifying whether the number is good and unique. This type of service also allows for doing things like two-factor authentication for high security tasks like changing passwords, although that requires more actual development to integrate.

From what I've seen this type of service usually costs something like ~5-10c per verification, and although it's not totally foolproof to circumvention, it's the method of choice for several big F2P games to control cheating and ban circumvention and bots. A small number of users would possibly have issues being on smaller pre-paid cell networks in certain countries, but I think having to allow only for a couple of exceptions a year would make it far easier than prohibiting important privacy mechanisms to everyone.

From what I saw some of these services are geared towards very small clients with minimal setup required, however there would be at least some setup to implement it. I do think this is something to at least consider, and might be a good use of some of the money that has been set aside for the game's development to be used on.

@0x1mm I like where your head is at here. Two factor authentication is good.

SMS is the absolute worst two factor out there. It is easily spoofed and in some cases even intercepted.

In the context of your suggestion here, the bigger concern is how easily spoofed it is. On the scale of changing a source IP address, to VPN, to spoofing SMS I'd rank SMS spoofing in the middle. More difficult than setting up a VPN, less difficult than obfuscating a source IP.

The better way to go would be something that uses an authenticator like Duo. There are plenty of MFA tools out there and I'm not wedded to Duo. I just like that it isn't reliant on Microsoft, Google or any of the other Big Brother companies.

The reason I suggest SMS verification is just after reading how several large F2P games are moving to these types of mechanisms, in part because it imparts a relatively low burden on users while still presenting hurdles to cheaters and toxic players.

I think any player verification will dissuade a certain percentage of people from signing up to begin with (which might make it more appropriate for memberships since anyone willing to fork over cash via paypal is probably fine providing an anonymized phone number) so there is a certain balance to be struck between what is effective, and what makes it easy to start playing.

Whatever has the lowest impact on users while providing decent verification is likely to be the best option in my mind, but I am not any kind of developer and am not speaking from experience.

How would this work for players outside the US? I can see this causing problems for our international RPers.
Considering it from a privacy and data breach perspective, I am much less concerned with someone having my email address than having my phone number.

The good thing about 2FA like Duo or anything that has an authenticator is it doesn't need your phone number.

Consider the worst case scenario.

The game gets hacked by the people who still talk about this game literally years after they've been banned.

Which one would you rather they have?

An email address, perhaps even an email address that you setup just for this game.

Or your phone number?

The article I was just reading (which prompted the suggestion) discussed Twilio's authentication services, and from the sounds of it, the behind the scenes aspects of delivering SMS messages to anyone in the world is a nightmare hellscape for them to implement. Twilio handles verification for Discord and Overwatch so presumably they've got it mostly figured out.

We have such a small number of users that having a few exceptions made once in a while for players in countries who have a ton of SMS blacklists like might be a reasonable approach.

My understanding Hek is that many of these providers do pure verification: They get your number rather than whoever you're signing up for. User emails were already compromised, the argument I'm advancing is to have less user data attached to Sindome rather than more.
I would take what the article says with a grain of salt. (Disclaimer. I work in telecommunications for a LARGE corporation. We have over 300,000 users. That's a LOT of phones.)

Sending an international SMS isn't any more difficult than doing it domestically.

The only measurable difference is that it costs more.

If we wanted to be fully cyberpunk about it, we'd just issue physical USB keys. We could subsidize anyone who can't afford them from the excess funds available in the MOO account. I'd even make a donation explicitly for that, and I bet a few others would be willing to as well.

How cool would that be? A USB key with the Sindome corporate logo on it?

@0x1mm

You're right. Twilio and others act as trusted intermediaries. They get your real number, Sindome gets a hash value to use with their API when they need to authenticate "YOU".

I don't think that's even remotely practical.

I'm sure there are options but the perfect is the enemy of the good. If something is enough for Blizzard to handle cheaters, I have to imagine it's more than good enough for our ~400 total users.

Google offers free 2FA with their API and mobile app on both Android and Apple app stores.

Just something to consider.

I assure you there's ways around 2FA as well. If someone is psychotic enough they will always find a way to ban evade.
I'm sure anything can be circumvented, but I think prohibiting VPNs is actively worse than doing nothing at all, since we're compromising player security and privacy and not preventing ban evaders from playing anyway.

SMS verification is used in other games to great effect, like I say I think the perfect is the enemy of the good especially when considering what we have now is bad.

A few things:

SMS verification is easily beaten. Unless we are going to require it every time you log in. Even then the cost of a VOIP number or burner cell is on par with the cost of a VPN and in the case of a burner phone, much more difficult to detect.

Banning VPNs has dramatically reduced the number of ban evaders.

I appreciate you thinking about this. I don't want banned players either. I spend several hours a week reviewing new player accounts.

This post should probably have been in Ideas :)

It may be true that banning VPNs limited the number of ban-evading players, but it comes at a not insignificant cost to player privacy and security. I have doubts that run of the mill ban evasion will spoof multiple phone numbers for verification, and anyone who will is already repeatedly evading bans since the same permabanned players keep reappearing over and over.

If SMS isn't enough then perhaps one of these 2FA services through Google or another.

@Slither

Thanks for sharing this...

I spend several hours a week reviewing new player accounts.

If that's not hyperbole, I think the ROI on implementing and additional layer of authentication might very well be worth it.

I kind of wish that I still had access to all of the data analytics and machine learning infrastructure that I did at my last job. This seems like a typical data science task that could probably be automated and tuned fairly easily.

@0x1mm

You seem extremely focused on "player privacy and security".

What are your specific concerns that require full end to end encryption of what is essentially text streams full of people writing make believe stories to each other?

I am not trying to downplay whatever your concerns are. I am searching for details and context.

In my experience VPNs are good for a couple of things.

1. Evading analysis or making it difficult to analyze the source of your connection. (eg evading a ban, getting around a region lock (like with Netflix), etc.)

2. Securing sensitive and confidential data. (financial data, medical data, etc.)

You seem extremely focused on "player privacy and security".

What are your specific concerns that require full end to end encryption of what is essentially text streams full of people writing make believe stories to each other?

Capturing text data streams containing rock hard, enormous, girthy, throbbing... dance beats.

@TalonCzar

Hey man, you said. Not me.

I totally wasn't thinking the same thing. Nope. Not at all.

https://youtu.be/89tgpzE4qkY
I think if you had any self-awareness Hek, you'd be the last person to be pontificating on player privacy concerns since you have no issues posting personal information about ex-players out of some misguided desire to curry favor with staff.
This thread is no longer productive. Keep it on topic please.

(Edited by Slither at 6:00 am on 12/3/2022)