Spot The Ball Security Part 2: Best Practices And Standards
In the part1 of this series on the competition site security we established the essential role of session and account management in preserving the integrity of the game and the trust of the customers. Organizing a skilled game competition site is risky and complicated by itself to constantly worry about the security of the whole endeavour. That’s why it’s better to stay with professional skilled games developers like Tentacle Solutions who have established protocols and methods of securing your game.
What are those methods and best practices?
One of the best methods to ensure the safety of your competition site and its databases is to utilize authentication management systems that use authentication tokens. Tokens are a web authentication technique that lets users enter their username and password once and receive a uniquely-generated encrypted token in exchange. Basically, the digital token proves your competition site user has already been allowed in.
That’s a huge step ahead when compared to passwords and other means of login and session management. Two types of tokens dominate the session management niche: JWT and Opaque.
JSON Web Token (JWT) contains specific information that can be interpreted by any party that has that token. For example, this information can contain the user ID of the user for whom it was issued. An advantage of using JWTs is scalability as the backend does not need to do a database lookup for every API call. The drawback is that revoking a single token on demand (before it expires) can be difficult if methods like blacklisting are not used (which impacts the scalability of the solution). However, one can revoke all tokens by changing the signing key.
Opaque Tokens - these are random strings which act as pointers to information that is held only by the system that issues them. These require a database/cache lookup each time they are used. A single token can easily be revoked on demand.
Google came up with its own best practices in session management:
1.  Hashing passwords
2.  Allowing third-party identity providers if possible
3.  Separation of user identity and user account
4.  Allowing multiple identities to link to a single user account
5.  Allowing long passwords
6.  Allow users to change their username
7.  Letting users delete their accounts
8.  Conscious decision-making on session length
9.  Two-step verification
10.  Don't impose unreasonable rules for usernames
All of the above should be kept in mind when looking for the skilled games development company and all the way through development. All the security issues and potential risks should be evaluated and openly discussed between the company and the development house. At least that’s how Tentacle Solutions handle competition site and skilled games development and that is why you should drop them a line if you are considering a skilled game competition site.
One of the best methods to ensure the safety of your competition site and its databases is to utilize authentication management systems that use authentication tokens.