Pin Recovery System?

DoNotEatSoggyWafflez · July 15, 2021, 4:18pm

I recently implemented a security system for my upcoming game Cosmic Oceans.

With all the recent account hijackings going on, I thought I could prevent those impersonators from playing my game on someone else’s account and messing with their player data.

What I did was add a simple 4-digit security pin that you create the first time you play the game, and to play you have to enter that same pin from then on. It all works perfectly fine, but I ran into a major question: What if the user forgets their pin?

I have only been able to think of two solutions to this: 1. Have them message me personally, but that would require me to be online and ready to respond, which wouldn’t be a great user experience.
And 2. Hook the game up to a web service that can automatically help them reset their pin.

The issue I have with #2 is that I have no idea how I would create that web service, let alone make it read data from the datastore with HttpService.

Do any of you know of a better solution?

ReplicaService · July 15, 2021, 4:20pm

U can make sort of like enter your irl name, to recover the pin. but this whole idea is kind of dumb cause even large big games dont have that.

Evercreeper · July 15, 2021, 5:14pm

Well it is also dumb in the fact that no user, especially the ones under the age of <13, is supposed to have their real name on Roblox. I think the main audience that would forget the pin would be young people, and young people are definitely willing to give their name without a second thought. If there was ever a databreach a lot names of kids could be exposed.

The pin idea sounds good, but it is already an emergency system that only works if a compromised account gets access to the game (which if they are greeted to a pin system on a hacked account, I am sure they would just play a different game).

Unlike using a real name (of a person) as a security question, you should do “What is my favourite colour?” or “What is the name of my first pet?” This way you eliminate giving away kids names, have a pretty decent pin system and only need the same read/write from db script to accomplish this. I am assuming that you already have this and I am sort of confused on the wording for the second option.

Happy devforum account birthday anniversary thing

tobo_ggan · July 15, 2021, 5:20pm

Horrible idea. You’re basically letting the hijacker reset their pin if needed. Make a UI or whatever informing them to write down their pin somewhere so that they can remember it everytime. If they don’t, that’s on them for not reading the instructions.

rtvr56565 · July 15, 2021, 5:20pm

Try ask something that is account “personal” for example, the day that joined, it’s simple (to answer) but it’s a way to make this.

DoNotEatSoggyWafflez · July 15, 2021, 7:42pm

Yes thank you! I don’t know why this didn’t cross my mind, but that sounds like the best approach to my problem.

Abcreator · July 18, 2021, 5:10pm

You are not allowed to do this as it is PII.