So if I understand the login processes properly
So if I understand the login processes properly
Bah, posted it before i finished typing.
So if I understand the login processes properly... on a PC, CustomID is the way to go for anonymous, smooth logins before creating accounts.
But, those need to be stored somewhere in order to reuse them, otherwise, they are lost forever.
From my understanding, there is no way to generate a 'unique' custom ID based on a PC, so its randomly generated.
So, since its stored, its easily findable. Whats to stop someone using that CustomID to log in to another players account?
Or is this just something to live with and the solution is to just encrypt the CustomID when saving it locally?
The Custom ID login system is intended for cases where you have an ID you feel is "reasonably secure". In other words, an ID that is never transmitted to players for any reason. That way, a hacker could really only get access to your account if they can get access to your PC. And if someone has sufficient access to your PC that they can read arbitrary files from it, you have slightly more problems than the fact that they can sign into your game account. Ultimately, it just comes down to what you're comfortable using, in terms of title security. The Custom ID is definitely not meant as a high security solution.
Also, local encryption isn't really a strong solution, since the code required to decrypt the ID will be on the local machine as well. But it would at least keep casual users from being able to use the ID.
Ok cool. So the answer to my question is no.
But, thats fine cause if someone gets that there are much bigger problems for that user anyway.
Good to know, now I can cross it off my 'do something about this' list
Correct. It is not technically possible for an auth mechanism which is saved in its entirety on the local system to be highly secure, as the credentials are available on that machine. But yes, unless you are exposing that ID somewhere, the only way it should be vulnerable is if someone gains full access to the user's device.
2 People are following this question.