Millions of people now spend part of their day in a virtual world, also commonly referred to as a synthetic world. They may work and play in a magical fantasy that exists only in a remote server farm and in their own minds. In these worlds, programmers can become wizards, accountants can become warriors, and college students can explore the stars. From auto racing to everyday life to medieval times there is a virtual world environment available to meet any taste.
Perhaps this should come as no surprise. As personal computers (PCs) and gaming consoles proliferate, more people play videogames. From a humble but addictive origin in Pong and its countless imitators a video game industry has emerged to suit a wide variety of tastes from casual games offering simple puzzles to elaborate immersive adventures with detailed stories that unfold over hundreds of hours of gameplay. These adventure games in particular often employ a wide cast of characters whose actions and dialogue are carefully scripted by the game designer.
But even the best scripted characters can't match the experience of interacting with real people. It would appear that all types of games including card games and board games are more enjoyable when played socially instead of alone. With this in mind, it seems inevitable that as our gaming consoles and PCs gained broadband connectivity, social games would follow. The tremendous increase in connectivity and processing has led to online games that go far beyond the traditional four- to six-player board game to include communities sometimes numbered in the millions.
Most of the popular virtual worlds we see including World of Warcraft and EverQuest offer in-game rewards for time spent playing the game. A player controls a persistent character with certain attributes like strength and speed and certain equipment including weapons and armor. One can increase one's abilities and improve one's equipment through completing quests or successfully battling scripted computer-controlled characters. Increasing one's attributes in this way can allow one's character to perform more powerful actions. For instance, a wizard may need to attain Level 20 before he or she can cast fireballs at enemies. Naturally, some people play these games quite a lot and gain very powerful skills and equipment merely by playing the game.
Some people may want these things without investing all that time. Clearly, these items have value to these players. No further proof of this fact is needed than to consult listings on eBay for in-game artifacts and characters. Reliable statistics are hard to come by, but estimates on the size of this market exceed $100 million annually in the U.S. with greater trade seen in Asia. Some individual artifacts like swords have sold for thousands of dollars.
Paying $1000 for a sword that is, after all, really a mere pile of bits seems absurd unless one recalls the actual labor involved in its attainment. In spite of this, it can be argued that the value of such a thing is fleeting at best: a game designer could easily decide that these swords will become widespread and easily available. While this is no doubt true, the same can be said of any floating currency including the U.S. dollar. The U.S. Treasury does not wantonly increase the world's supply of dollars because doing so would drive down their value. Similarly, game designers have an interest in rewarding their most dedicated players and inspiring ordinary players to become dedicated.
It seems that both players and game designers want to maintain the linkage between time spent playing the game and wealth earned. Given the secondary market in virtual equipment, it should come as no surprise that players have attempted to automate the gathering of status and items. Since most players of these games use ordinary PCs to access the virtual world, many have experimented with automated scripts to mimic the presence of a human playing the game and accumulating treasure.
Combating the abuse of automated scripts is a concern not only of online game designers but also web sites that offer free e-mail accounts and those that sell tickets to coveted events. In general, the problem can be stated as: how can a remote computer program determine if it is interacting with a human rather than another program? This problem is a variant on the celebrated Turing test in which a human judge interacts electronically with both a human and a computer and attempts to determine which is which.
Determining if a human is present is of course a part of a larger authentication problem: how can a remote computer program determine if it is interacting with the correct human? Most online systems including online games use the venerable combination of username and password at login time to establish confidence in a user's identity. But it has long been known that passwords are problematic: users forget them, choose them badly, and guard them poorly. Given that we have established that these accounts hold goods with substantial real-world value, better alternatives to static passwords need to be considered. Identity theft is a growing problem and online games are not immune.
Accordingly, what is needed is a solution that addresses both user authentication and verification of user presence. The corresponding security measures should be easy to use and unobtrusive. Otherwise, users will simply bypass them. Moreover, the solution should be culturally appropriate to a given virtual world. That is, it should look to enhance rather than degrade the experience of playing these games.