One of the points made in “Social Game Design: Monetization Methods and Mechanics,” an excellent book by Tim Fields and Brandon Cotton that I’ll be reviewing shortly, is how Zynga have refined launching a game down to a very small number of clicks. It’s almost frictionless and the same should be true for multi-player games, to get people playing instead of dithering about signing up.
The current technologies, particularly HTML5, are now able to support it, and here’s how I see it working. Email signups currently let players get a copy of login details and include a mechanism whereby a player can be differentiated (email address plus password). Without email you let each player choose a unique username and store the security credentials locally on their PC. HTML5 storage offers a very good mechanism. When the game runs, it checks for saved data and retrieves it.
There are currently three demos with source code on HTML5 demos if you want to see how storge is done. If the player is on a shared PC then they may need further security – say a password to stop others logging in as them.
Also you can give every player their own unique url. Something like http://example.com/player/^r4e7i~&5Tg3!2&0-8&6×6 (Yes, I know it’s probably not valid!). The player code should be randomly generated, not something easily guessed at and offer a very large range of possible values to cut down the chance of guessing. A purely numeric identifier should not be used as it would entice attempts at iterating through a range of numbers.
For extra bonus points, if a wrong link is entered, build in a 30 or 60 second delay before returning the error message. Better still, after three failed attempts kill the session or block the IP address for a few hours.
The URL by itself is not a complete security answer. It’s a good way to get a player quickly started. They can bookmark it and log in later, but it must be backed up either by credentials held in local storage or if that’s not possible (older browser?) a simple pin that may be 8 or 12 digits long that the player must write down when they join the game for the first time.
Think of it from the server’s point of view. It doesn’t know who you are or how to connect to you, so you need to tell it who you are via the unique URL or security credentials from your PC and prove to it that you are actually you and not somebody impersonating you.
Of course having the player’s email address is handy and provides an extra validation route if you lose your unique URL, storage credentials and pin. But rather than making it mandatory, why not get the player to volunteer it with something like “Give us your email address to earn 1000 gold?”
I’ve not seen this no-email method used in any MMOs, but I can’t be the first to think it up. If you know of any MMO games using a no email sign-up, let me know!