question

endragor avatar image
endragor asked

Game Center login is insecure

Game Center login API only accepts player ID to authenticate a player. Since the ID is unique per Game Center account and can never be changed, if it was ever compromised for a person, someone else can log in to any PlayFab-managed game on behalf of the person. This is a big problem, since the situation is out of control of the game developer - even if they take measures to protect the ID, it may have been already compromised long time ago, and the user cannot take actions to change it.

Apple provides means to avoid that problem with the help of generateIdentityVerificationSignature() method. To support it, PlayFab API would have to additionally accept 5 more parameters: bundleID, publicKeyUrl, signature, salt, timestamp.

Is there a reason why secure login is still not supported? That looks like a must-have for the service.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Yes, that's specifically why we advised people not to use it in the past. In fact, we didn't even have it visible in the docs for quite some time. The secure sign-in system for Game Center was introduced after we added Game Center sign-in, which is why that version doesn't use it. We do have a backlog item to add a new Game Center login call that uses the secure system - I'll add your name to it, so that we know you'd like to see it implemented (we prioritize in part based upon how many developers are asking for a particular feature). In answer to the question of why it's not in place yet, and to be very candid, it's because very few developers have asked for it.

5 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

lisa avatar image lisa commented ·

I'd like to see this also, @Brendan! Though it'd be nice if Unity would support it, as well (https://feedback.unity3d.com/suggestions/game-center-ios-7-dot-0-verification-signature-support)...

1 Like 1 ·
brendan avatar image brendan lisa commented ·

Then I would recommend 'liking' the Idea in our Feature Requests forum: https://community.playfab.com/idea/12921/provide-secure-gamecenter-login.html

0 Likes 0 ·
endragor avatar image endragor commented ·

Thank you for the quick reply!

0 Likes 0 ·
zymakenneth avatar image zymakenneth commented ·

@Brendan I would certainly like to see this as well! Currently have a game that needs Game Center authentication for multiplayer (using real-time API) so it is quite difficult to implement something user friendly without linking a Game Center account to playfab in anyway (other than indirectly through a device ID).

0 Likes 0 ·
brendan avatar image brendan zymakenneth commented ·

As above - the best way to give us feedback is to 'like' the Idea in our Feature Requests forum.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.