Hey everyone! So, my friend is deep into game development and he and his crew are toying with the idea of incorporating QR codes into their latest project. Like scanning a QR code within the game to unlock hidden quests, snag exclusive loot, or share your in-game triumphs with friends (more like "rub it in" style they had in mind, they target younger audience). But here's the thing - they're divided on this matter: adding a couple of nasty codes that make you lose something. The idea is to make the "rewarding" codes super awesome so that the temptation to scan is big but with a risk. I haven't had much time to play lately (lately being a couple of years) so I'm not really sure about the general mood on this topic (haven't played any games with QR codes). Actually, it's one of the reasons I came here, the Gaming section, to at least see what's up since I don't really play anymore. When I mentioned this to my friend yesterday, the punk immediately asked for a favor so here I am asking you to pitch in.
I would say any game play loop with a negative element to it should include some skill based technique that allows you to avoid said negative effect - rather than just pure RNG. For example, maybe all the negative QR codes could have a sub-pattern that - to the observant player - would indicate that a negative outcome is coming. The problem with a random "You loose" style gameplay element is it pisses people off if they can't at least take steps to avoid it happening.
I'm going to be honest... If a game starts presenting QR codes that I need to scan I'm immediately going to assume that someone is trying to squeeze more money from me through microtransactions, loot boxes, "battle passes", subscriptions, etc. When you scan a QR code it isn't always obvious what that code contains - if it has a link embedded, it's perfectly possible that the address you're directed to could have been hijacked with malware. Even if I could 100% trust that it isn't a scam, a ploy for more money, or a malware installer, I probably wouldn't bother doing it - even if it meant I couldn't carry on playing. It would really break the immersion and "pull me out" of the game. The opinions of one grumpy (and perhaps slightly cynical) middle-aged gamer aside... there's also the additional complexity of the required back-end services to consider. Usually QR codes point to an internet URL, so if the point of that code is to unlock content within the game then the game needs to know whenever that URL gets hit. Presumably the game would also need to know which player hit that particular link, or the first person to unlock a particular feature would unlock it for everyone. This would need some kind of service-tier architecture that the game and user can communicate with - meaning it has to be hosted on the open internet, not a closed network - and users would require an account. Because this infrastructure would need to sit on the open internet, it would also need to be thoroughly secured against being exploited or hijacked. That infrastructure would need to be maintained for as along as they want the game to be available, meaning: code fixes/updates, platform maintenance (e.g. AWS/Azure migrations or downtime), vulnerability patching, monitoring for exploits/abuse, etc. This isn't a criticism of your friend or his colleagues/company, but it's worth bearing in mind that billion-dollar megacorporations like Sony, EA, Ubisoft, etc, don't maintain their online services indefinitely; when they pull the plug on a service that a game depends on, that game is almost always useless afterwards. I don't want to sound like I'm being negative or rubbishing the idea; I just think it's worth having a realistic assessment of what this feature would take to implement, and whether or not that effort would be worth it.
Depends on the game, and platform. Most platforms run some form of QA on games before pushing them live, so they could be trusted as much as any other qr code you might come across in the wild. Like "scan this qr for our menu and 10% discount" type thing. Personally, the QR code scanning would have to add some value. Why am I scanning a qr code? If it's just scan qr the get things, it's a bit lame, an extra hurdle in the player journey that might push people out of the game entirely. Link it with a partner mobile app/game however, now you're talking. Scan the qr code, that gives you a puzzle to solve on the mobile app, so you can "play the game" while not at your pc/console. App can also be used to track stats, manage stash, whatever is appropriate for the game. It's got to be engaging and entertaining. Adding it for the sake of it would be a bad idea.
It’s not the game you have to worry about, it’s wherever that QR code takes you. If it takes you to a website that’s been hijacked, it could serve as a malware delivery vector. “But why would people hack a game’s back end server, there are better ways of reaching more people”, I (don’t) hear you say… Well “people” don’t, the process is largely automated - no one’s “choosing” to hack any particular low-traffic web server, it’s trivial to automate processes to look for vulnerable targets en-masse. Before I migrated it, my blog got battered with exploit attempts. Gigabytes of traffic and tens or even hundreds of thousands of hits a month - 99.9% of it was people trying to break in. No one reads my blog, I don’t even care if there is less than one genuine reader per year. But because it was running on Wordpress, it got picked up by automated scanners. I ended up having to pay £50 or more a month for vulnerability mitigation and login protection services - in addition to the hosting fees. All to protect a crappy little blog that gets less traffic than a meth-addled hooker with one leg and no teeth. (I’ve moved it to a text-only site now; no logins, no scripts, no PHP, no server-side stuff, pure pre-generated HTML & CSS - let’s see you hack that, you scummy little pricks…)
I was about to say "if it was an app you wouldn't need a website" then realised I don't really know how "apps" work, and it's probably just website accessed through your chosen phone platform's gui/API system, which really just replaces the traditional browser. I can't imagine the checks ran by app stores is anywhere near the level of testing that Xbox and playstation do* At one point I had a mild understanding of these types of things when I worked in codies online team, but I was payment security boffin so was mostly interested in pci dss, coppa, dpa etc., but picked up the odd bit and did a bit of game theory type stuff. I know that I don't know anywhere near enough about the technical challenges of implementing it, so tried to not comment too much on that and more to player experience. *Funny story, I was at codies while the 2 main games be worked on were f1 2013 and F1 race stars. F1 race stars was a F1 based mario kart, it was awesome. It was so much fun, the Xbox was team nicknamed it F1 funstars. About a month before launch, someone at FOM who had no idea about games threw a strop about the fact that so could drift. "F1 cars do not slide around like hooligans" was quoted I think. So they had to remove it. You could still kind of slide a smidge, but it's like playing mario kart with traction control. It was horrid. Xbox contacted us almost immediately when we sent the new version, to inform us of this catastrophic "bug". They were as heart broken as we were and it got absolutely panned. And rightly so. "Simply put, F1 Race Stars is the kart racing equivalent of a self-help seminar, or of a powerpoint on learning real estate sales. Like those sorts of intellectual death marches, it frequently made me yawn while playing and the whole thing has a painful sense of inevitability to it-which at least draws a further comparison with the sport on which it places primary focus." Everyone was furious with fom, but they couldn't afford to piss them off. So sad.
Guys, thank you so much for your insights. Will pass this to my friend and they can decide how to proceed here. I understand all the safety concerns as I didn't share their background. One of them works for a pen testing/vulnerability management company. The other one was in marketing for years and used QR codes in hundreds of campaigns, and will use them to promote this game too. They plan to use Uniqode (formerly Beaconstac) and it has phishing URL detection, SSO login, MFA, SOC 2 Type 2 certificate, anomalous scan detection, and probably other safety features that I'm forgetting at the moment. (I use it for work too, so I know a thing or two.) It's the safest in the market, in my opinion. This crew knows what they're doing so this doesn't worry me. But the point here is that there will be potential players with these concerns and I think this is something they need to consider. If scanning a code is a dealbreaker for a decent amount of their target market, the question is if it's worth it. As I said, the game is for a young audience, basically teenagers, and the initial research they did suggests they usually have no problem scanning. I, belonging to the abovementioned grumpy and slightly cynical generation, am also not sure if I would go for it. Anyway, thanks again for sharing your thoughts. Mission complete, off I go.
The example you mentioned earlier is actually a pretty good comparison: scanning a QR code in a pub/restaurant to order food. You scan the code and it takes you to either a website or an app in a store which you use to place your food order. That order information then needs to be sent back to the kitchen so they can prepare it. Edit: So this means there needs to be some kind of platform/infrastructure sitting between you the customer and the restaurant. Also your anecdote from Codies sounds unnervingly familiar. It’s possible that they could have been trying to head off potential license concerns from the FIA, but I doubt it. It never ends well when execs & senior management stamp their authority on something through poor decisions that have no regard for the opinion of the people actually doing the work. Probably also worth bearing in mind that the vast majority of the population won’t have the same technical concerns that people on a tech enthusiast forum might . Many people here are the kind of people who don’t want anything to do with “smart devices”, and would happily throw their printer out of the window if it did something unexpected . (I am not one of those people, I am festooned with smart devices and digital assistants - I can’t even turn my lights on without a network at home ) I think this sums it up the best: If they do any kind of focus groups or user research then that would be a valuable avenue for feedback as well.
