I have been planning to make an user-friendly admin interface in my upcoming game (a.k.a. AdmIn) where you get access to features like banning, muting, restricting, game control, etc. It is intended to be used only for in-game administrators, however they would have to login to there using a special account.
How does it work
AdmIn will have a “registration” feature intended to be used by the game owner, and it would be able to register AdmIn accounts for people who have been accepted as staff. You would type an username and password for the user to use, which you would tell to the person, and choose a rank - moderator, admin, superadmin, etc.
Why not just link admin status to Roblox accounts?
There’s a variety of reasons. First, I want the system to be fully flexible, independent on Roblox’s systems. Second, it would add security to the system. In case someone exploited the game and all it took to access the system is to just click a button hidden to non-staff, they would wreak havoc. Third, I want admins to have a feeling of how awesome can Roblox get and get them a feeling of a admin interface used on websites.
So what’s the issue?
I am not sure if in-game accounts are allowed as per the ToS.
It’s discouraged that you implement such method of authentication because:
- What if they provide their Roblox password? Are you ensuring that their data is safe? Are you encrypting their passwords?
- How will they reset their passwords? Will it abide with the ToS?
- What if your account gets breached and the hacker looks into the passwords on the data store?
The game owner registers the accounts for the admins. They won’t know that admin’s Roblox password. To reset passwords, they would need to contact the game owner.
Oh I see, I didn’t fully understand this part.
Well, I don’t see why this wouldn’t be allowed then.
What about if they wanted to change their passwords? Would they be allowed to do so without contacting the game owner?
I might implement a “reset PW system”, however I am not sure how would that work.
Security isn’t really an issue, given that you set it up correctly. If anything, you should be worried about the security of your own system.
Well, that might be one issue then. In the event one of your admins accidentally shares their password, their in-game account may get compromised and they can’t do anything about it.
But generally, I see nothing wrong with this aside from the technical stuff.
Having to contact an admin for resetting passwords is horrible UX as this can lead to long waiting times.
Relevant thread: Can i "Create" Accounts?
Don’t. You also have to worry about other users getting tricked into giving other user their password or bruteforcing their way into an account.
Checking if the account the user is trying to log into is the same as the user trying to logi in to, completely defeats the point of an in-game account system so you can’t do that either.
TL;DR don’t reinvent the wheel. Roblox already has an account system in place; no need to make your own.