Knowing Who You Are

The next release of StoryTime will introduce the ability for players to identify themselves.  Everyone who uses computers understands the notion of login.  You provide a username and password that “proves” who you are.  This proof is only as good as your skills at choosing a password and keeping it secret.

These days, we have more sophisticated ways to prove our identity.  Smart phones in particular have advanced the state of the art.  My Galaxy S8 phone has a fingerprint scanner on the back.  It can also recognize unlock patterns, where you swipe a finger to trace a design that the phone knows to be yours.  Even better, the phone offers iris scanning and facial recognition.  Humans use facial recognition to identify each other all of the time, so it’s safe to say that your smart phone does a great job of knowing it’s you.

On the Web, things are still a bit of the Wild West.  Whenever you sign up for a new online service or create an online account, don’t you get that trickle of dread down the back of your neck?  That small ache in your stomach from too many bad login experiences?  Will you be allowed to use your email address as the username?  How many of which kind of character has to be in the password?  Don’t use a password you have ever used before or with any other account.  (Really?)  That username is taken already?  (But I used my email address.  Did I already create an account?  Okay, I surrender.)  Reset your password.  (Which pet’s name did I use, and what did I say my favorite color is?  Ack.)

Even worse, when you create that new account, you are trusting that the service provider is going to handle your username and password securely.  When you are a small player, like Happy Spirit Games, the effort to assemble and maintain an unbreakable series of procedures around identity management is daunting.  Some might not even bother to do a proper job of it.

Off the top of my head (and with 25 years of experience), I know I would need to:

  • Host a page using https so that data between your browser and my servers gets encrypted,
  • Hide the password field while you’re typing it,
  • Require a certain minimum length and assortment of character types (capital and lowercase letters, numbers and symbols),
  • Add a captcha to slow down attacks by robots,
  • Store strongly encrypted passwords in a secure database behind a proper firewall,
  • Send verification email with a link back to the server for user confirmation,
  • Lock out accounts after some number of failed attempts to log in,
  • Never leave unencrypted passwords on any system or in any log files,
  • And so on…

I haven’t even got to changing passwords or recovering accounts.  Moreover, hackers are finding new ways into systems and faster ways of exploiting existing holes, so the odds of a small player keeping up are slim to none.  In any case, forcing my players to create yet another username-password combination is a disservice and might even get in the way of signing up.

I can see that your are convinced, and your eyes are starting to glaze over.  So, let’s get to the good news.

Fortunately, the world has some very large companies with deep pockets and an interest in knowing who you are, while keeping your information secure (if not exactly private).  You know some popular ones: Facebook, Google, Twitter, Instagram, LinkedIn, to name a few in the social media realm.  Also, the tech world has come up with standards for authentication (proving who someone is) and authorization (knowing what someone is allowed to do).  The standards allow smaller players to access larger “identity providers” to handle much of the hard work around security, while reducing the burden on everyone who wants to use online services.

To put it simply, you use an account you already have with a service you already trust.

All you will need to do to create an account in StoryTime is login to Google or Facebook, or any other identity provider that I make available.  If your browser is already logged in, you’ll just need to give StoryTime permission to access some basic information, such as your email address and public profile.  These are bits of information you already share with the world, so easy enough.

In case you are curious how this works, here’s a nice write-up about OpenID, the identity standard about which I am writing.

You might also be wondering why StoryTime needs to know who you are.  That will be the subject of another post, coming soon.

One thought on “Knowing Who You Are

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s