Confused! How is non-authoritative multiplayer (Unet, Photon PUN, etc) *ever* secure?

I'm coming back to my first multiplayer game development after 7 years, so pardon my rust, but I I'm real lost.

The last multiplayer games I did were a Flash frontend with Smart Fox Server. Smart Fox was an authoritative server, I coded the game in Java on the server side, and the clients were trusted only to send input and update displays. 7 years ago, if you released a multiplayer game without an authoritative server, one that trusted its clients, the very second you became popular the cheatengine guys would have you game hacked and you're game was shot. Any game without an authoritative server would be DOA.

Now I'm making a Unity multiplayer game and all of the primary recommendations (UNET, Photon PUN, others) are based on relays and trusted/master clients. I must be missing something, how does this ever work? Do hackers not care anymore, or is there some security layer I'm not understanding? If a client can just say "I'm over here" or "Actually I have this much health", or whatever, isn't your game just shot? Is this just happening on mobile where client hacking is rare?

I can't think of a time I've been this WTF confused by what's going on and no one even seems to be discussing this issue, so I have to assume I'm just being dumb and missing something.

Thanks for any help!

 

well, with unet for example, generally there's an authoritative server player. usually this guy will be in charge of everyone's health, resolving collisions, etc. & the other players are treated as clients, sending info to the server player to interpret & decide on. how much heavy lifting you want the server player to do is up to you - the clients could send actual player position data, or just send their inputs for the server player to use for position updates. the server can always second guess & validate whatever the client sends them if you choose to write that code

of course, there's nothing stopping the server player from cheating in this model

i remember reading that it's possible to run a unet server in a headless mode, where it's basically being the authoritative server for potentially many games at once, similar to the old days of smart fox. in this case, your headless/GUI-less server would run on your own box/VM.

anyways, don't quote me on this, but i believe if you're going to put your game on steam, there is some cheat detection built into steam, in terms of detecting whether they're using a hacked client via CRC checks and such (unet also has built in CRC checks). I've been playing a popular peer-to-peer multiplayer game on steam for years, and have ran into a cheater once, in 1000s of games. in this game, each player is actually responsible for deciding when they damage/kill another player. it seems to work out just fine for them. even some of the halo games run P2P i believe.

 

Which is fine on console usually because it's much harder to mod a console game, which you also take the risk of being banned from their services as well. Pretty much all competitive shooters (even on console) these days use dedicated servers for the competitive stuff, and say if they have a coop campaign they might just fall back on P2P for that since usually direct connections are faster for just two players.

 

UNET's NetworkIdentity has a 'localPlayerAuthority' option. If it's true then the local player is the source of truth, he can say 'I actually have 100' health, like you said. If it's false then the server is the source of truth, the client won't even be asked about his health. The client can only send a command to the server like 'please use my health potion', which the server then may or may not do.

The latter option is secure because no logic is handled by the client.
The first option is insecure because a client can cheat easily. This might be necessary for some parts like movement in a first person shooter. This is when you need anti cheat measures on the client, like VAC. But they are all hackable with enough motivation. All you can do is make it as hard as possible for hackers - or put the logic on the server.