helpy4/Bombsquad-Ballistica-Modded-Server-Mirror
1
0
Fork 1
mirror of https://github.com/imayushsaini/Bombsquad-Ballistica-Modded-Server.git synced 2025-10-20 00:00:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Page: 🔐 Multi‐Factor Authentication (MFA) for V2 Accounts
Pages
Chat commands Home Server Settings 🔐 Multi‐Factor Authentication (MFA) for V2 Accounts
0 🔐 Multi‐Factor Authentication (MFA) for V2 Accounts
Ayush Saini edited this page 2025-09-16 00:37:35 +05:30
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Why MFA?

Recently, weve seen spammers hijacking (spoofing) other players accounts to join game servers. These spoofed accounts were being misused to:

  • Cause noise and disruption in servers

  • Gain unauthorized admin powers

  • Perform random malicious actions

BombSquad V1 accounts have always had some security flaws, which made them vulnerable to this kind of abuse. Because of this, most players no longer trust V1 accounts for secure authentication.

Thankfully, Eric has already introduced V2 accounts, and they will soon become the mainstream method for player authentication.

Until now, servers could only read V1 account details for authentication. With this update, we are adding an additional layer of verification (MFA) to secure V2 accounts.

How MFA Works

With MFA enabled, we now verify players by both their V2 account and their IP address.

  1. Login step Players must log in to their V2 account through the Ballistica web app on the BCS website .

  2. Join step When joining a game server, the server will internally verify:

  • The IP address used to log in to the website

  • The IP address the player is using to join the game

If both IPs match → player joins freely. If IPs dont match → the player will need to re-validate via the BCS login page.

Note: If a players IP changes (e.g., switching Wi-Fi or mobile network), they must visit the BCS website again to update their IP.

If already logged in, no full re-authentication is needed.

Currently, the BCS website logs you out when you close the window, so you may need to log in again in that case.

Server Owner Guide

Enabling MFA

  • In your server settings, set mfa to true.

  • You can choose to enforce MFA:

    • For all players, or

    • For admins only (requires specifying V2 account tags).

Handling IP Mismatch

  • If a players IP does not match their last known IP, the game will prompt them via the Stats button.

  • Server owners should configure the Stats button to point to the BCS login page.

Using Server Manager

  • If youre using a server manager and want to keep your custom Stats button link:

  • Set a redirect URL so that, after login, players are redirected back to your server manager page. (link with redirect)

Benefits

  • Stronger security for V2 accounts

  • Protection against spoofing/hijacking

  • Safer and cleaner multiplayer experience

👉 With this update, servers can finally rely on secure V2 authentication with MFA.

Future Work

Authentication is done with V2 tag only, attackers can still spoof your public_account_id(pb-id), which some mods use to track player identity and to maintain role. Since V2 is anyways a future of game account, and confirmed to be unique, we can start using V2 tag as unique identifier for player. Unless servers will able to fetch other unique id of an account. Leaving it for modders out here to use/expand this IP based MFA to validate players.