My game uses silent login with device id (+random string) and google linking.
I have a question regarding the device id flow. Is it true that I can just guess some device ids and try to log in (or create a bot that does the same)?
That is highly insecure, or am I missing something?
You can append random hash to the end, that should basically solve all your concerns.
With each character that your ID increases the harder it will be to guess a specific account. If they just want ANY account then a little easier, but still not very useful.
Now you can just make it so the game gets device ID from the device and then you can store the other part somewhere.
Yes, it can still be guessed, but it's not much different than guessing an email + password right
Otherwise you could make your game login via account + 2FA if you want to secure it
I think Jon covers most of my ideas. Device id + random string combination should greatly improve the security of account. I won’t say it highly insecure. Any single string identity for the login is not good for safety while Email + password will be much better.
In the common scenario, login with device id, along with custom id is used in silent login, which have a premise of having comparatively safe environment, and it only helps improving the gaming/login experience of players instead of ensuring safely.
2 People are following this question.
