Safe, secure, and convenient verification with passwordless authentication

July 27, 2021
Expand your mobile game business to PC and web to reach new players.

Password leaks are becoming increasingly common, especially in the games industry. Capcom recently confirmed that a total of over 390,000 customers, business partners, and other external parties were affected by a personal data leak at the beginning of 2021. 

Reports have surfaced suggesting a breach affecting more than 106 million Epic Games users could leak account names, emails, and possibly even passwords to malicious third parties. With plenty of other examples involving gamers in the past, it’s clear that the games industry is a major target for data breaches.

While having your Capcom or Epic Games account compromised isn’t the end of the world, it brings to light another issue with passwords. A 2019 study by Google found that almost two-thirds of users use the same password across multiple accounts, with only 35% of people employing a unique password for each different online log-in. 

Statistically, in a password leak the size of Capcom’s data breach, this means over 250,000 people could be open to the risk of having other accounts compromised. Regardless of how secure one’s password is, it only takes one data breach for a hacker to break through if users reuse them.

With such obvious downsides to reusing passwords, why do people still choose to do so? Dashlane, back in 2017, found that the average American internet user has over 150 online accounts that require a password, with projections of that number climbing up to 300 by 2022.

Password managers are an option, but they still require a unique password at the time of registration and are difficult to integrate with game launchers. Additionally, only 24% of users opt to use a password manager, far less than the 65% that choose to reuse their password across platforms.


Breaches are affecting more users, year after year. Source: TechRepublic

With passwords proving to be a weak point in online security, game developers are undoubtedly seeking a comprehensive, secure, and convenient solution for their users. With many popular solutions like password managers out of the question due to the nature of desktop-based launchers and other gaming-specific environments or platforms, this is where passwordless authentication comes in.

What Is Passwordless Authentication And How It Works

Passwordless authentication is a blanket term for multi-factor authentication that securely stands in for traditional passwords. Some examples include authorization email links, codes sent through SMS, and app authenticators that generate unique authentication codes every ten or so seconds to verify their identity - the Steam Guard Mobile Authenticator system is a good example of this.

Regardless of what it looks like, the premise of passwordless authentication replaces the need to input a password at registration or login. Passwordless authentication instead sends some alternative form of authentication to a secure location, be it one’s phone or email inbox, acting as a safer, secure, and equally convenient authentication method.

This process, while simplified, is what happens behind the scenes for registered users. The user initiates the authentication, is sent a code, and is authenticated once the correct code is submitted back.

Emailed links or codes are perhaps the most common form of passwordless authentication. Sometimes, passwordless authentication takes the form of a link emailed to the user, which is used as a portal into the gaming platform once authenticated. Users could also be sent a code, usually four to ten digits, which they’ll be required to input into a form before being let in.

SMS codes are another common way to authenticate a user without a password, by sending a code to an authorized device, much like a code sent via email. The user is authenticated by showing they have the registered device. Even if a hacker got ahold of a gamer’s username and password, they would also need the gamer’s physical phone to complete the login.

Authenticator apps that generate time-based, one-time passwords take the secureness of the SMS method a step further. They don’t rely on the SMS system and have a much faster expiration time, preventing any sort of brute-forcing or guessing on an attacker’s part.

So how do these different methods compare with each other?

You’ll need to balance the pros and cons of the specific types of passwordless authentication methods before deciding on one. Email links/codes are the most accessible but are less secure if the hacker has access to the email account in question. SMS codes are a bit safer but require your player base to have a phone capable of SMS communication and aren’t without their share of security flaws either. 

Authenticator apps are even more secure but require your player base to own a smartphone and a proprietary app to be installed, which requires more work on the developer’s end.

Why Passwordless Authentication Works for Game Developers

Gamers can have a more challenging time when it comes to online accounts. Between different launchers, platforms, and portals, gamers likely have more online accounts than the average user, surpassing the average 150-200 accounts made up of online shopping, social media, entertainment, and work-related sites.

When you factor in the most popular gaming portals, game launchers, streaming services, gaming forums, and more, it’s easy to see the online portfolio of a regular gamer is more extensive than average. Therefore, gamers and game developers are looking for more convenient and secure ways to log in, and passwordless authentication is just that.


Why You Should Use Passwordless Authentication

First of all, passwordless authentication more secure. Google, and other tech conglomerates, are pushing this kind of two-factor authentication. It’s undeniably safe, and it's in the best interest of customers to have it enabled by default.


Plus, traditional passwords are becoming more obsolete as time goes on. Password databases are constantly under attack, so even the most secure and unique password isn’t safe from a leak or data breach. Even if the database security is airtight, passwords are sometimes predictable (24% of Americans use passwords like “Password” or “123456”), and as mentioned, reused passwords can also affect security.

Passwordless Authentication is Good for Conversion

One of the biggest costs developers run into is marketing and user acquisition. Arguably the most crucial aspect of game development, growing your player base is essential for your revenue stream. The last thing you want to happen is to catch a gamer’s attention with an advertisement, have them click through a landing page, only to turn away during the signup process. 

Ads, landing pages, and sign-up forms cost time and money to develop, but a bad customer journey is all it will take for a customer to drop your game entirely. This drives up the average cost of your user acquisition, so improving and streamlining the user journey is a must.

Using long forms can negatively affect conversion rates/ Even if you’re not ready for passwordless authentication, don’t overuse entry fields.

Most gamers will want to get right into the game, so any potential roadblocks during registration can lower your conversion rates significantly. Common customer journey issues, like entering login information multiple times or switching from a game environment to a browser, can decrease your conversion rate by 3.4%, costing you 34% more per lead in some cases. 

Plus, registration/authentication can happen up to or more than three times before the player starts up the game: once during sign-up, once more in the launcher after its installation, and one last time in the game itself. Every time a user needs to authenticate themselves is a potential opportunity to lose them.

Optimizing the user journey can help increase conversion rates and therefore reduce marketing expenses.

In simplest terms, the users that make it to your sign-up form are already interested in your game, so it’s best to make this step as easy and convenient as possible to avoid losing new players. If they feel like signing up is too much of a burden, they’ll likely back out of the process entirely and remember your sign-up process negatively. You have one chance to capture new users like this, and with passwordless authentication, the signup process is reduced to one or two clicks, removing this issue entirely.

Passwordless Authentication is Growing in Popularity

More and more developers, for the reasons above, are implementing passwordless authentication. This means your gaming population, being extremely online, will likely already be familiar with the process and expect the same process from other gaming services going forward. 

With Epic Games, Ubisoft, and other gaming giants pushing for more two-factor authentication, traditional passwords are slowly but surely falling out of favor with both users and companies. Security Magazine cites that 92% of businesses believe going passwordless is the future, so it’s wise to get ahead of the curve and switch over as soon as possible.

As the passwordless trend continues to develop, not offering it as an authentication option may discourage gamers from finishing the registration process. Plus, according to a study by Forrester Research, big companies save up to one million dollars on password management by removing the need for password-related support altogether.

Potential Challenges

While the reasoning behind passwordless authentication sounds fine, implementation is an entirely different beast. First, developers need to choose between dozens of potential solutions or services, many of which aren’t game industry specific. Building a solution from scratch is another option, albeit a time-consuming and expensive one. 

If developers decide on one that seems technically sufficient, they’ll need to fork over some cash upfront before even starting to integrate the solution. Then comes the technical integration, requiring hours of configuration and spin-up time. Without a proper and convenient product, this process can cost the developer a ton of time, money, and sanity. 

Luckily, there’s Xsolla Login.

Meet Xsolla Login

Xsolla Login is a complete, games-oriented solution that brings passwordless authentication to the gaming ecosystem. Xsolla Login allows users to sign in with SMS and email codes, bringing the safety and convenience of passwordless authentication to your player base. 

Plus, as a developer, you can collect user emails at the time of registration and later use them for marketing purposes. By employing AuthRank, PlayFab Proxy, and over 30 other third-party authentication platforms and providers like Discord, Twitch, and Xbox, Xsolla Login is as secure as it gets.

Passwordless authentication form


Xsolla Login is easy to integrate with your existing ecosystem. With well-documented technical specifications and developer support, developers spend less time integrating Xsolla Login and more time optimizing their user journey for faster sign-ups and more conversions. 

Providing in-depth marketing analytics, with a fully customizable design, and supporting multilingual interfaces (up to 20+ languages) to reach more customers, developers have a lot of freedom and control over their integration of Xsolla Login. Xsolla Login only needs to be set up and integrated into your products once, unlike APIs with multiple contact points to upkeep.

Developers can customize many aspects of Xsolla Login, from the portal itself to the final authentication email sent to the user.


Plus, there’s no upfront cost, meaning you can get started with Xsolla Login almost instantly. Xsolla Login comes at no additional charge if you already use other Xsolla products. If not, Xsolla takes a 5% fee from every transaction that goes through the Xsolla Login portal. 

Regardless of your budget or starting capital, you can deploy the Xsolla Login without any upfront costs that would otherwise keep you from deploying right away. Other solutions either require a large initial purchase, a costly monthly subscription, or both.

Xsolla Login can also be used as a Bring-Your-Own-Identity system, where users sign up for your service using one of over 30 different third-party platforms like Steam, Twitch, and Google. Xsolla Login’s proper use of Open Authentication and Single Sign-on (SSO) will ensure an extremely simple sign-up and sign-in process on the gamer’s end.

Passwordless Authentication in Summary

For gamers and others with many accounts, passwordless authentication is the most secure, convenient, and accessible solution. It eliminates the time spent generating/remembering passwords and makes guessing them a concern of the past. Gamers and developers no longer have to worry about leaks affecting their new accounts or worry about safe password storage and management. 

Shorter registration forms contribute to higher conversion rates, and having a customer’s email for marketing purposes proves invaluable. As Steam and other companies start requiring two-factor authentication and phasing out traditional passwords, more and more users will become familiar with the trend and adapt. 

Xsolla Login gives you, the developer, complete control over the platforms and languages you support, marketing analytics and statistics, and the appearance of the entire user journey. Using a revenue share model of up to 5% and having no initial cost or monthly subscription model, you can get started with Xsolla Login today and set it up in no time with comprehensive documentation and support staff if needed. 

Check out our page to learn more about how you can start using Xsolla Login to power your studio’s passwordless authentication system, and talk with an Xsolla account manager at business@xsolla.com to get started today.

Your Own Cross-platform Publishing Ecosystem
How To Get Published On The Epic Games Store
System
Status