Usernames are already publicly visible in profile and activity pages. It should still be an option to explicitly opt-in. Why is it so terrible?
it would probably be a display name and/or a unique identifier
You do not need access to the profile name for that. I might be wrong about this, but there is a stored cookie and such. Webgames can recognise recurring users. There just is no link to an Itch profile. Also, you do not need to log in to Itch to play web games.
My main point is, you do not interact with other players while playing a game. Not with your account name at least. Itch is a download store, not a social network.
Support for some kind of web games platform login and save games might be a nice idea for the future. But it should be amateur developer proof.
5 days ago (+1)
The issue is cookies get wiped all the time, and don’t transfer between browsers. There could be, as I’ve said many times, a unique identifier (probably formed with a one way hash + salt between games and stuff) that has no real direct link with an account, but allows people to sync data with the account via a developers’ server.
Then the user would provide a username (in a text box in game or something, and thus the account is linked with a UID & a user provide account name, without any sensitive itch.io data sent.)
I think it would be so cool to have a game where you have user made maps, game saves, friends lists and all that sort of stuff without needing to worry about logins and that complicated sort of stuff.
It’s also probably worse (security wise) to have all these “amateur developers” you speak about, who want to do stuff like this handling user passwords and that sort of data.
I think it would be so cool to have a game where you have user made maps, game saves, friends lists and all that sort of stuff without needing to worry about logins and that complicated sort of stuff.
Yes. But for this, Itch needs a major overhaul. Maybe starting with friends lists and direct messages and such. Oh, and direct messages won't be coming any time soon, because they are a moderation nightmare. They would need some concepts that are low maintenance. User interactions of any sort are not low maintenance as a rule. If it were easy, such features would be seen on Itch since long ago. This thread is 5 years old. And was recently bumped. I just wanted to add my todays perspective: it is a bad idea.
And leafo already said, if such a feature would be done, it would be opt in. And it would have to be per developer. Quite a lot of permission data. But asking users to share their information with (amateur and unknown) devs is a bit wobbly. Who would guarantee that no illicit things are tried with the data? And Itch is constantly under attack. There are hacked accounts every day. Most are from discord hacks or downloaded fake games. But if there are ways of attack that can utilize browser games, scammers will use this in some way. If they are successfull often is another story, but they will use and try to abuse the system. Browser games are "safe" because they run in a sandbox in the browser. Any kind of unneccesary exposure is a risk. Also, some people would be very concerned about privacy. Just because you probably won't be hacked, does not mean you would want to see your name somehwere. Opt in is nice on paper, but it does not work as a concept. There are just too many things the average user does not grasp, what such an opt in would entail.
The reason there are no examples is that the feature isn’t fully implemented. Most traffic doesn’t use the itch.io app for web games, so it would prevent most users from using the feature.
If the needed api would require the usage of the Itch app, all this is moot wishfull thinking anway. And the api that already is there is not used? I mean, not web games specifically, but no games at all? (That you know of). Too exotic a use case for the mostly drm free games maybe. I have seen drm games, but very, very few. I could not name it, actually, I just dimly remember seeing games that had some kind of launcher or login data or whatever.
5 days ago(+3)
Yes. But for this, Itch needs a major overhaul.
Wrong, the whole point is that user made maps, game saves, friends lists and all that sort of stuff would be implemented game by game. If we passed a UID to web games, you could store all this data (saves, maps, etc) in a database and have it associated with a user w/o each game having a login, sorta like OAuth, but you don’t even need to pass any user data to developers.
User interactions would only happen in game. Very little if any work from itch, other than generating & sending in a UID.
You don’t need to send much of any user data to implement all of this.
the api that already is there is not used?
People develop stuff for other people, there’s no point in putting a lot of time into a cloud save system & friends lists & full multiplayer synced with itch.io if 99% of people on the platform can’t/don’t use it.
Uhm.
Implemented game by game? You serious?
Stored in a database by the developer? On which server?
You seem to talk about stuff that would be in a web game that has no need to be hosted on Itch to begin with. Itch web games are from small indie and amateur developers. They usually do not have the ressources nor the expertise to implement all these things on top of their game. And if they do, they do not need the profile info to do login stuff. Better yet, if they do it on their own, they are not limited to host on Itch.
I did not mean that the other things are requirements with that overhaul. I meant that the feature on its own is not a good idea. It does not fit with the rest of Itch's features and how privacy is handled and how players interact with each other while playing a game.
5 days ago (+2)
Agreed with JackPrograms. We are not talking about steam workshop here. Just an id that I can handle in the backend myself. Ideally there would be a display name as well so that every developer doesn’t need to implement their own spam and swearword detection in each game. And logged out users can be identified as well and we can decide if we want to randomize or just display something like “anonymous logged out user” as display name when the id is null.
5 days ago(+1)
Usernames are already publicly visible in profile and activity pages
Where is this?
As a developer you cannot say who plays or downloads your game. Only when payment is involved you get some information. You do not even see on which collections it is, unless those are public collections.
As a fellow player I cannot tell who else plays a game.
I do can see comments made. But that is "opt in". And I might see what is happening in the feeds, but those are not attached to games, but to feeds, and I only see the public ones.
Making profile information accessible to amateur developers is kinda dangerous. Even with "opt in". How often do people "opt in" to a website these days? It is meaningless. No one knows the consequences of such opt ins. It would also make those profiles accessible to scammers and you can bet that they will try to exploit this somehow. Itch is a huge target for bad people.
If someone wants to make a high score or whatever, they can request an "opt in" that would not involve publicly displaying the username. Itch is not this type of social network: you do not use your username to interact with other users. You can't. There is no private or direct messages. There just is not the infrastructure under the hood to play games as a "logged in user", such as it is on Steam. On Steam they have multiplayer support, voice chat and whatnot. You can see reviews, comment on them. Make friend lists, see who is online and all those features. Itch has none of that. Suddenly using the profile name for something like a high score, is out of character for lack of a better term.
5 days ago (+1)
I think the point is that the game developers make the infrastructure around it (ie friend lists and lobbys), not itch.
But also, playing “logged in” already somewhat exists on the itch.io app. Where you can authenticate user accounts and that sort of stuff with the api, directly getting account info. Just from loading up an app. I just think This would be super useful in web projects ran on the website, bc that’s where majority of traffic comes from.
It could be like a oauth screen before loading up a game, where the user better understand what’s happening when they login, but also it’s a public website, I don’t understand the point of hiding usernames bc of privacy or anything of that sort.
Third point, about user anonymity, itch.io is a website that contains largely unmoderated (to my knowledge, I don’t really go around making virus and stuff) javascript code execution, you can already get a lot more info such as IP addresses, approximate location and that sort of stuff from users that play your games, hell google analytics tells you a lot of information about your players. I don’t understand the logic that an opt-in user identification system would be so detrimental to site security.
I think the point is that the game developers make the infrastructure around it (ie friend lists and lobbys), not itch.
If they really do this, why do they need the Itch profile for that? They can deal out a login on their own. Itch has no support for a lobby to begin with. Or for friends list. But then again, if your game is big enough for things like that, you probably are hosting it on your own website, where you can easily put some more advertisements for all the freeloaders.
Where you can authenticate user accounts and that sort of stuff
In theory. I have never seen a game that needed that. Are there any popular examples you can name? I did read the faq and know there is an api for that, but actually never saw this done.
but also it’s a public website, I don’t understand the point of hiding usernames bc of privacy or anything of that sort
Itch is a public website in the sense that anyone can access it, if they can access US websites. It is not a public website in the sense that users see other users. Apart from public activity like commenting or having a public collection you do not see any activity at all from other users. None. You also do not see "who is online", like you do see on some message boards.
Once users grasps that concept, suddenly seeing their account names on a leaderboard, just because they clicked away that cookie warning or whatever that nagging screen was, is surprising. This is bad site and information flow desgin, if it were implemented.
They could improve support for web games to do fancy things. But if they do, please with robust api and with strict rules like vetting the developers.
I don’t understand the logic that an opt-in user identification system would be so detrimental to site security.
Life Scammers will find a way. I have literally seen hundreds of hacked accounts on Itch. Itch accounts are a target, as are Discord accounts. Coincidentally, many people name both the same...
An opt in is useless, if people do not understand what that means. Or would you understand that such an opt in means that anyone seeing that leaderboard could just try out passwords with your account name and try to hack your account? You do not even need to be a fake developer and harvest names. Anyone could see them.
Personally, for me it boils down to this: I do not trust amateur developers with this kind of information. There would need to be an ultra robust and fool proof api for that, with no way of exploits and a system to ensure that the dev would not be a scammer. Amateur devs playing around with account names. No, thank you. I would rather not have that.
5 days ago (+1)
Are there any popular examples you can name?
The reason there are no examples is that the feature isn’t fully implemented. Most traffic doesn’t use the itch.io app for web games, so it would prevent most users from using the feature.
clicked away that cookie warning or whatever that nagging screen was
All the “nagging screen” would need to say is “developers will be able to see and share your username” that’s really it for people to fully understand.
Here’s an idea. (in this case, a non-naggy checkbox that would need to be checked for any data to be sent.)
Probably needs some changes like an always yes/no that can be changed in account settings, and other stuff to fit itch’s design language. But it can be made it a way for the user to understand whats going on.
anyone seeing that leaderboard could just try out passwords with your account name and try to hack your account
First, I’m fairly sure itch.io has rate limiting, you can’t just spam password attempts without raising some red flags (getting your IP banned for some time, or account locked or something), but let’s say they don’t for the sake of example.
If people can just get into accounts with usernames and spamming passwords, why do people comment/post/review/do anything with their username attached?
Like, if I can hack people with just a username & some time, wouldn’t you be putting yourself at risk by replying to any posts?
Also, You can search a long list of users (mostly creators) with the search bar at the top of itch.io? If usernames were really that sensitive, why do you see them everywhere?
But also, it could pass in a display name or unique identifier to web games, instead of a username, avoiding this username/hacking point entirely.
5 days ago (+1)
Hi @redonihunter,
Answering your question:
"Where is this?"
Every time someone makes a comment, the username is displayed, I don't see how enabling access to the usernames can make it too much worse.
About what you mentioned:
I think you are saying that if the user never interacts in the platform, they don't have the username exposed, right? But I am not sure if I agree that exposing those could be a security concern.
You mentioned the usernames are accessible via cookies, if the apps can access that information I think this is even more concerning in terms of security, right? Also, cookies can be manipulated so you cannot rely on the information there, users can potentially modify any content there.
And finally, you mentioned that itch.io is not "this type of social network", I disagree. Yes, itch.io don't have all the features other social networks have but I think is implicit that any interaction you have will expose your username. Like creating a comment on this post, creating a devlog or publishing a game.
Itch.io doesn't have any authentication so there is no way around it. I would like to have this feature, I think it can be really useful not only for high scores but to learn more about the players.
5 days ago(+1)
There are orders of magnitudes between players, ratings and comments. Most people do not comment, nor rate. So you would maybe have 1 comment, 10 ratings and 100 users. The only public interaction is the comment. And about half of the ratings are seen in the global feed for like 5 minutes.
The potential public exposure for the other 94 people would be unexpected. And most of the 5 people with public review probably did not read their settings.
You mentioned the usernames are accessible via cookies
I did no such thing. I said web games can recognise recurring users. Not that they do this by the account name. I believe this to work with cookies.
Yes, itch.io don't have all the features other social networks have but I think is implicit that any interaction you have will expose your username. Like creating a comment on this post, creating a devlog or publishing a game.
It has basically no social network features at all. Itch is a download store that happens to also host some web games and happens to have a rudimentary commenting system.
Providing multiplayer support in any way would be nice for the platform. But it would also be a nightmare to implement.
5 days ago (+2)
I think you are missing the point.
First of all, you can rate content, create comments, follow users, create dev logs, create comments for dev logs. I don't know what features YOU need to call it a social network, but itch.io is a social network.
Secondly, no one is asking for multiplayer or any other new feature (other than maybe an opt-in), what I see here is people asking to make possible for apps to access an information that already exists (and is public).
I still don't understand your argument about how making the public usernames easily accessible would be a security concern.
I am not sure if you just want to be against this proposal or you have a real concern, if is the latter, what do you recommend? Oauth? Each game to implement a secondary login on top of itch.io? What would be the safest way to do it?
5 days ago (+1)
an information that already exists (and is public).
It is not public. That is my point. (It is not even known to the developer running a web game!)
You do not see who is playing a game. You do not see who is online. You do not have a "friends" list. You cannot comment on reviews, you cannot even see them attached to a game. You cannot "share" your activties. Best you can do is publish a collection on your profile.
Would you call all message boards "social networks"? There are reviews with comments on products on online stores. You call those a social network too? There is a social component, yes, but that does not make it a social network.
Making information public that previously was not, is a thing that should be thoroughliy scrutinized. And imho unless Itch does implement a whole lot of other mulitiplayer support, there is no need to access such information for things like leaderboard that can be implemented by other means.
Ok, I think I understand your point now, there is a comment talking about profile information that probably make you concerned but that's not the intention of the original comment.
What is being asked is to know who is playing your game if this person is logged in, and that's all. This information is public (if the person decides to publish something).
Personally, I think it's a reasonable request and can cause more good than harm.
About the implementation, instead of a opt-in, itch.io could simply warn users that the username is public. And because is possible to change your username, if someone wants to change before this new feature is released, they could simply change their username. What is the point of the username anyways? Display it publicly right?
What is being asked is to know who is playing your game if this person is logged in, and that's all. This information is public (if the person decides to publish something).
What do you think public means in this context?
The information who is playing which games is not public. It is not even known to the dev that published the web game. Hence this very thread.
Even if the existing api is capable of doing this, when playing a game or a web game with the Itch app, using the username inside the game (like displaying it on a leaderboard) would violate some privacy boundaries. Itch is just not a place like those web game hosters with the microtransactions or facebook games or even Steam.
Itch might one day have such capabilities, but as I said elsewhere here, there would need to happen a major overhaul including a huge bunch of other multiplayer support features that enable and control the interaction between users while playing online together.
Itch.io already supports multiplayer web games, they just don’t own the servers and stuff, the devs do.
This whole “overhaul” thing doesn’t need to happen, itch doesn’t need to do the peer to peer connection.
Giving display names to devs has vary little to do with a itch.io friends system or other “multiplayer support” it just gives devs the ability to implement that.
Itch.io already supports multiplayer web games
How does this support look like?
There are multiplayer web games on itch, yes. About 2000 or so. But do they implement multiplayer with any sort of support by Itch ecosystem?