IMO:
Require a regional credit card for service. Assign trust based on GeoIP and CC AVS Check. Don't permit name changes on the billing portion of the account, with TOS/EULA notification at the time of account creation regarding name changes.
This mechanism provides for and permits multiple CCs/IPs from the same household, cannot be spoofed, eliminates the use of proxies/VPNs, and forbids the sale/transfer of accounts, as a side effect. It's also currently used by several FI's in NA/EU today, transparently, because it requires no additional software on the part of the client (either a browser or MMO client) and does not trust the client in any way.
OR
Use this mechanism on an optional 'trusted' no-bot/no-box server type only, and permit all the badness on the default servers. :)
--
Ultimately, if you do nothing, multiboxing and botting will be a plague you cannot stop, and CC chargebacks will destroy any vestige of revenue or profit in a war of escalation.
Reputational services is the only path forward if you want to permit more than one connection per IP without abuse.
Similarly, if you want to stop RMT, Gold Sellers, and the similar related badness, you have to design your MMO economy appropriately. This means, among several potential design issues..
Permitting direct currency trading between players, and/or dropping currency from mobs, and/or having NPCs that buy arbitrary items and provide trade-able currency? Even one of those things will guarantee your game will be a target for RMT, Money Laundering, and all the rest of the related issues, as history has proven continuously since 1999.
Considering the problem for even a few minutes produces many creative (and thematically / internally consistent) solutions. Here's one of them, among many. (Which originally came from this)
And some further reading, if anyone is interested:
laundering money online:
https://www.pcgamer.com/how-microtransactions-and-in-game-currencies-can-be-used-to-launder-money/
https://arxiv.org/ftp/arxiv/papers/1310/1310.2368.pdf (2013)
https://crsreports.congress.gov/product/pdf/R/R45664 "Virtual Currencies and Money Laundering: Legal Background, Enforcement Actions, and Legislative Proposals" (2019)
This is a very good question @Kilsin.
I personally am about giving everyone a chance to be themselves as everyone has different types of play styles and why they do what they do. So, here I'm going to list Pros and Cons about each perspective:
1) RMT:
-Pros: I personally don't mind any of them. As a community we all do things differently to benefit ourselves and usually people depend on working with RMT to make a living. (simplest way I can explain is: I usually spend a lot of time playing video games due to personal disabilities)
-Cons: While some people might benefit from RMT, some people might think of it differently and consider it to be a detrimental advantage to the community.
2) Gold selling:
-Pros: A good thing one benefits from this, is having a way of acquiring Gold that to some people might be difficult to gather from play style abilitiy or time spent playing the game so that it makes it easier for them to acquire an item in game or for those that don't have much time or energy to make Gold themselves.
-Cons: I'm borderline about Gold Selling, as to when people aren't able to acquire that required item or desired quest they can't complete.
3) Bots:
-Pros: Only thing I can think of that is beneficial, is: that it helps people farm desired item when they're offline and don't want to spend so much time grinding or farming an item endlessly.
-Cons: It can be looked as a form of explotation for advatage that probably affects other people's priviledge to camp such desired item.
4) Spammers:
-Pros: Spammers are just a wall of text spamming certain channel for advertising their services so that people have a way to complete desired result for their gaming benefit.
-Cons: No one likes chat (Spam).
I really think in reality none of these systems affect anyone in particular. The game will still play itself out. Now, when it comes for people given the opportunity to do so, this play style system can be either detrimental or beneficial to the game depending on the games system.
Kilsin said:Community Opinion - Real World Trading, Gold Sellers, Bots and Spammers, if you were in charge, how do you think you would handle them in an MMORPG like Pantheon? #MMORPG #CommunityMatters
A Vjek so rightly pointed out above, allowing any form of direct PC-PC trading will result in RMT and gold selling, guaranteed. You will not be able to stop it.
Which means every transaction between players need to first through an NPC intermediary which charges a transactional tax based upon the value of the items being traded. It is important that that tax be deduced from the accounts of the players before the transaction is finalized so that you cannot have some alt holding 10k gold and wanting to give it to another player who purchased it by through some 3rd party. The seller would need to pay tax on that 10k. But when someone is caught RMT or gold selling, because transactional taxes are applied before the transaction is finalized, if you set their account balance to a negative equal to the amount of gold they were caught selling, they would first have to legitimately earn enough gold to get their balance >0.00 before being able to perform any transactions anywhere.
No, as for chat spammers? You'll never stop that, only mitigate it somewhat. Firstly, no global public chat channels. Given that you're doing away with physical zonelines, you're going to need 'local' chat channels limited to a given area somehow. So while someone can spam the eff out of ThroneFast Local, people over in Avender's Pass can be free of that garbage...until the spammer moves that is. You can also mitigate spamming by having no text macro capabilities and no cut/paste either. Spammers, specifically gold/item sellers, don't want to waste their time retyping every message. EDIT: You can, however, give the players the tools to deal with these ourselves. Spammers? Give us an easy to use chat block option with unlimited slots. Spammers won't hang around long if their potential marketbase are all deaf to their message.
Bots. For all you people who do not understand the difference between bots and multi-boxers, I"ll just say they are not equivalent so don't bring that stuff up. Bots are mostly, if not wholly, automated through the use of some 3rd party application automatically responding to stimulus input from the game. Multi-boxers (true multi-boxers) are actively controlling multiple characters. I'm anti-bot but pro multi-boxer. So, on to bots: I don't think VR will be able to stop them. Bot programs are getting ever more sophisticated, able to more accurately mimic the innacurate timings/movements of players to fool any snoopers looking for too-precise timings. No, you're going to need to do this manually, by actually going around in the world and watching players, interacting with them, getting to know them so you can start spotting the automotons. But I don't think you're going to have the personpower to handle this, not for quite some time after release anyway, if ever.
Bots are bad for the game and should be treated harshly. Though it may be hard to tell the difference between a bot (someone using an automated program to run one or more characters) and a multi-boxer (someone running two or more characters simultaneously on different accounts but manually controlling each character). I could say a lot about both but others know more than I so I choose to focus on gold sellers and spammers.
Gold sellers are bad for the economy and worse for the chat channels. Effectively preventing botting does a lot to keep them away. Having only subscription play (with free trials on a special server or unable to trade anything or talk in chat) does a lot to keep them away. An excellent chat filter (EQ2 has a great one) keeps them from burdening chat and I highly recommend it.
Spam is a touchy issue. By gold sellers, a good filter helps a lot and active monitoring by VR representatives as well. Guides or other non-employee volunteer assistants can also help if given authority to impose temporary bans on chat (with punishment for the Guides if the power is abused). Anything beyond a temporary chat ban may be too much authority leading to abuse. But this isn't usually a gray area - when a gold seller spams its services this is rather ...obvious.
Spam by real players is harder to control. There will be trolls. There will be very immature people that enjoy getting most of the server angry at them. But a good ignore feature may be all we need. Ideally one giving us the option to /ignore an entire account and to have the /ignore cover our entire account. So if Fred is a horrible troll with 30 trolling alts /ignore Fred will silence all 30 alts and protect all of *my* 30 pleasant and wonderful alts.
First and foremost:
NEVER hurt legit players experience in order to fight ANYTHING you dislike. Never.
That being said:
I never had a negative experience, because Player X bought Gold from Service Y. I did have spam due to that and bots farm said gold, but Id love to split these issues tho.
Pure bots can easily be banned, semi automatically even, with current know how and systems. So just do that and make sure it is reasonably hard to mass create accounts. Since Pantheon will likely have an upfront cost + monthly fee, that could be enough to flat out negate bots by itself.
Multiboxing is not something I am against at. And we need to make sure that BOTTING and MULTIBOXING is not the same thing, not even close. Some games made it synonymous, but in reality it is not. If a player can play 2-3 toons and pays for them,... why would I mind? It its their money and stress level. As long as they don't BOT the toons, it is totally fine with me. Hell: EQ groups usually had at least one multi boxer get his [insert whatever was missing from the group] so everyone could enjoy a team and experience. I tried it a few times myself and had reasonable success, but usually just invited a few other people into the group and phased out my multi toons to relax a bit more. And when a person left, I could replace them, until we found another person. Win Win for everyone.
Spamming can also be negated by widely available tools and algorithms, ... add a warning 2-3 times. Then a temp ban for 1, 2, 4, 8, 16, ... days. Problem easily solved. If you can't make it happen, hire any computer linguist for a week or two and it will happen.
So basically: Put the available tools in place to get rid of bots and spam, then RMT is not an issue that affects anyone. It will happen. It can't be stopped. Trying to stop it, will hurt legit players more, so never even try that. As long as a legit player does not notice RMT happening, no harm is done. So that should be the goal. If I don't get screwed over by bots and not spammed by RMTraders, ... nothing is negatively affecting my gameplay. And I wholeheartedly think this is the best and only approach that can work.
Did I mention that you should not screw over normal players to "fix" problems that can't be fixed anyway? ;-)
Removing all gold sellers, bots etc is impossible but actively working on it is still very important. No one thing is going to work or at least not without killing the game. I mean if you just do not launch the game no gold farmers lol. Below are some ideas that may or may not work.
Running sting operation. You are in control of accounts so you can make them and try to buy gold. Find the sellers and take all their stuff and ban them.
Let players report gold spammers. If the player is caught abusing the spam option remove it from that player. Should be easy to save chat log for proof and then ban the gold spammer.
As much as I like free trials for a MMO I think it is worth just not having them. This removes so much possibility for this type of bad behaver.
Consider limiting some countries to their own server.
Consider limiting trade functions on new accounts. Things like no 10k transactions until level 30 for example. You could make trading a skill that you level up.
Will add more ideas later if I think of any dinner is done.
"As much as I like free trials for a MMO I think it is worth just not having them. This removes so much possibility for this type of bad behaver."
Free trials are a topic that has gotten a lot of reaction both in favor and against. Without either supporting or opposing them - I do note that there are ways to limit them so as not to have them abused by gold farmers. Of course these also make it harder for players genuinely testing the game out but many MMOs make free trials somewhat burdensome to encourage players that like the game to switch over to a "real" account.
1. Separate server for free trials. This completely isolates them from any impact on the real servers. It also isolates them from contact with current players other than those that go there to be helpful or to recruit for guilds. Big plus - big minus. It also means that any that subscribe have to start over and "waste" their progress though VR could give any free trial subscriber a chance to start over at whatever level they had reached on the free trial server.
2. Same server but no ability to talk in chat or sell or give items. Easier for the gold farmers to beat these restrictions which is bad. Very restrictive for players trying the game out which is bad. Allows players to keep the character with all progress and coin and gear if they subscribe which is good. Allows exposure to active players and guilds which is good.
3. Same server with few or no restrictions. Rely on prompt chat bans and account deletions to limit spamming chat. Limit free accounts to e.g. level 5 and make any resources worth farming difficult or impossible to get until e.g. level 6. If this doesn't work out be prepared to eliminate free trials.
Option 3 may be ideal at the beginning when there will be a lot of publicity attracting people to try the game out yet the gold farmers will not have had time to figure out exactly how to do it efficiently and how to beat any built in game safeguards.
Rattenmann said:Trying to stop it (RMTs), will hurt legit players
Bots and gold sellers/spammers should have their accounts perma banned. No Kronos or other in game tradable RMT items.
If people are going to go to other places to sell items then countering those transactions are fine as long as they don't impact other players. I really hate not being able to chat or trade under a certain level for example. I have faith in VR's ability to do things correctly.
I would limit the functionality of every account (IE Trade,Chat ect..) until they meet the Know Your Customer (KYC) requirements as seen in financial services or Crypto exchanges, IE Proof of identify to all owned accounts so Bans or other needed measures are to the person not just one account.
HemlockReaper said:I would limit the functionality of every account (IE Trade,Chat ect..) until they meet the Know Your Customer (KYC) requirements as seen in financial services or Crypto exchanges, IE Proof of identify to all owned accounts so Bans or other needed measures are to the person not just one account.
I am not sure if you are joking or not but I am laughing.
philo said:Rattenmann said:Trying to stop it (RMTs), will hurt legit players
I'm curious how you think trying to stop RMTs could hurt legit players? (I'm assuming by "legit players" you mean players who don't participate in RMTs)
I can only think of ways RMTs hurt "legit players" unless you mean extreme, sweeping restrictions that affect everyone in the name of stopping RMTs? Or something else? VR is good at finding creative solutions to problems so that shouldn't be an issue. Though, thinking about the pros and cons, I'm willing to deal with restrictions if necessary.
Edit: I found this old thread by Zew on the topic that you participated in Ratt. It answered my question unless your thoughts have changed? I believe you were referring to extreme, sweeping restrictions like I thought. You used BDO as an example:
https://seforums.pantheonmmo.com/content/forums/topic/2887/this-will-kill-pantheon-i-fear
I think we just disagree on some things. You mention being in favor of kronos in that thread for example.
Yes, I am talking about restrictions.
I am not willing to take ANY restrictions to fight RMT. I simply don't see any reason to to be frank. RMT has never directly impacted me in any way (indirect via spam and bots sure, but those are easy to deal with). The fight against it has impacted me in almost all games I have played.
As far as Kronos go: I don't see any issue in paying gold for game time. Developers earn more (people usually stack up on those Kronos), I get more people to play with since less people put the game down and whoever is rich enough to pay for all that, clearly wanted to shell out the cash to pay for other peoples subs. Win Win on all fronts.
Rattenmann said:I am not willing to take ANY restrictions to fight RMT. I simply don't see any reason to to be frank. RMT has never directly impacted me in any way (indirect via spam and bots sure, but those are easy to deal with).
I guarantee RMTs have affected you more than you realize...or will admit. You can say it is indirect as a justification but allowing players access to gear and content they didn't earn inflates power creep at a faster rate.
It increases the high end bottleneck. It allows players to skip over lower content more quickly making those areas obsolete faster. It pushes the server population to a few specific, high end, areas because everything else can be purchased and bypassed quickly. This turns those low level areas into a ghost town. It also creates an inhospitable game for newer players who have no one to group with. VR has always talked about promoting horizontal progression to try to slow progression and minimize the high end bottleneck. RMTs are counter to that and expedite the process.
In a game like pantheon where content is supposed to be challenging it can allow low skill players access to areas they aren't qualified to be in. In my experience people who buy gold are not highly skilled/efficient players 99% of the time. They often make excuses like its a time issue and it's worth it to them to spend money. RMTs water down the skill level of the playerbase by allowing people to buy their way through and diminishes the accomplishments of those who are actually skilled.
Having all players be on even ground is one of the main draws of the subscription model for many people. Players are drawn to a game like pantheon because they want to avoid pay to win.
VR will lose customers and lose money if gold selling is rampant because that is ptw. It also forces VR to produce content at a faster rate because players are able to advance though it easier simply by paying money. VR has always been against pay to win as part of the tenets the game was founded on.
You've played open world games before right? You understand you will have to compete with the gold/item farming teams for spawns right? They are contested.
Gold farmers inflate the server economy. Mudflation runs wild. Gold wouldn't enter the economy at the same rate if it wasn't for the farming companies doing it to make money through RMTs.
From a server management point of view it degrades the economy and and makes it more difficult to manage long term.
You seem to have a very short sighted point of view if you don't understand the repercussions of gold selling and think it doesn't impact you lol. It impacts everyone.
Well, you are sounding like RMT is the devil for sure. And I know, it can feel like that in some games. Not claiming any different.
I just don't see it having an impact in a well made game. If difficulty is bypassed without skill, just by gear... I don't think RMT is the issue, just a catalyst,... to just name one example. I also don't see RMT go as rampant as you make it sound like. Sure, it can have all the impacts you mentioned,... but would it in reality? The difference between ghost town zones and full zones is RMT alone? Nah.
If bots and spam is being dealt with the market for RMT will be quite neglectable. And you simply can't remove it 100%.
Just to toss numbers out so you understand my reasoning behind it: Removing bots would probably remove 60-75% of RMT offers, since manual farming is rarely worth it. Add another 10-20% if content is actually a challenge and a single person can't farm that stuff reliably. Removing spam would remove 90% of buyers. If people don't get offered stuff, they won't be buying it, unless they specifically search the web for RMT.
People searching via google and sellers farming legit stuff will be the bare minimum you can get RMT down to. That is an achievable and solid goal. Every single % of RMT you want to remove more, would impose strong restrictions on normal players and take considerable resources from the Pantheon team. Id say it is very likely that the costs won't even come close to outweighing the benefits here.
Basically all the good ways to deal with RMT will improve a normal gamers game time, and have a huge impact on RMT. All the bad ways will annoy normal gamers and barely have an impact anyway. I have seen this so many times in so many games since Meridian,... and really the discussion is always the same, the results are always the same. I just hope the Pantheon team has the same experience in 25+ games and does not try too hard and screws over the population of the game just because of some ideals that can't be reached anyway.
Ignoring a problem will not make the problem go away and it will only get worse as people feel they either have to participate and then, in turn, become part of the problem. If a problem is recognised, then (by its very definition) it is detrimental to the system it inhabits. All detriments should be dealt with to the best of the system's ability otherwise that system will, in time, fail. Apps, games, finances, cars, anything. If it has a problem that is not rectified, it will fail.
RMT on a one to one basis may not cause a problem to the entire game, but if the supplier gets organised or involves multiple individuals, then it can be very detrimental to the playability of the game. Price hikes, un-natural item scarcity, bottle necks, frustration, etc, etc.
I have no problem in VR introducing any mechanism that they see fit if it means I dont get spammed and can progress my game play without the need to buy my way through. I hate in game purchases at the best of times, I am sure I dont want 3rd parties to benefit because they are abusing the games mechanics to get an unfair advantage over other players. I would rather leave the game. If other players actions are stopping me playing the game in the way it is intended, then that has to be dealt with. IP bans, decreasing returns, tying accounts to financial details, no drops for epic quest lines, all mechanics should be considered and used to make it as impracticable as possible for this to happen.
I would rather my money went to VR to progress the game than someone who is abusing the game.
Susurrus said:HemlockReaper said:I would limit the functionality of every account (IE Trade,Chat ect..) until they meet the Know Your Customer (KYC) requirements as seen in financial services or Crypto exchanges, IE Proof of identify to all owned accounts so Bans or other needed measures are to the person not just one account.
I am not sure if you are joking or not but I am laughing.
Not joking. I would implement limitations of some sort to unverified accounts if as he stated I were in charge, even if that was just allowing the verified to play on their own cheater free server.
It’s about making it as difficult as possible to continue to violate rules for a game and its community. There’s already information given when someone uses a credit card, or when company uses fingerprinting with out or without the users knowledge.
Adapting exiting KYC requirements already used in the above mentioned institutions would help solidify an individual to their accounts, making it much more difficult to just buy another copy of the game and start a new account with the same old tricks as before, rendering the banning process moot.
chenzeme said:Ignoring a problem will not make the problem go away and it will only get worse as people feel they either have to participate and then, in turn, become part of the problem. If a problem is recognised, then (by its very definition) it is detrimental to the system it inhabits.
A+ for the basic definition, but you need to adopt it to the game. Is it a problem? Maybe. In some forms. All forms? No. Black and white thinking is not gonna lead to a good result here. If you can fix 90% of a problem, without screwing over legit players... and the problem is no longer an issue after that, you got a good deal.
If you fix a problem 95% and have to screw over legit players, then the question arises: Is the detrimental effect of the "fix" worse than the 5% problem it fixed?
You can never "fix" 100% of RMT in any game. Just not possible, no matter what you do. You would have to reduce the game to something that is no longer an interactive MMO, in order to even come close to that goal. So basically: Don't overdo it. Yes some things need to be done, but we need evaluation of the underlying issue before we can start to screw over the game, just to fix something with stuff that is just as bad or worse than the problem itself.
If Pantheon puts restrictions on my personal trading with my family, just to combat RMT, I would be annoyed. If suddenly all the stuff is bind on pickup, I would be annoyed. If they put restrictions on how many times you can kill a normal mob per week, I would not just be annoyed, but move on. The fix can't be worse than the problem.
@Ratt
67% of all estimated stats are innacurate ;P
You keep mentioning:
Rattenmann said:You can never "fix" 100% of RMT
It's not necessary to state the obvious.
But lets talk about some of those numbers anyway because there is merit there even if they are innacurate.
Removing bots would probably remove 60-75% of RMT offers, since manual farming is rarely worth it. Add another 10-20% if content is actually a challenge and a single person can't farm that stuff reliably. Removing spam would remove 90% of buyers. If people don't get offered stuff, they won't be buying it
Now we are getting into a discussion that has been had many multiple times on this forum. Removing bots requires removing add ons and 3rd party programs needed to run those bots. VR has always said they will restrict add ons. How they intend to do that has lead to many discussions. Many of us are in favor of VR installing anti-cheat software/spyware on our computers. I have faith enough in the teams intentions to be ok with this where I normally wouldn't be ok with it from any random company.
I'm not sure why you think manual farming is rarely worth it? I'm sure we have all seen teams, often from asia, farming gold/items that aren't bots.
According to an old article from 2009: "There's 1 million MMO gold farmers in China alone (and gold farming is a multi-billion dollar business)" While bots are more efficient, and theoretically easier to detect, than real life players, to only be concerned with bots is the tip of the iceberg and does not come close to a solution...but it's a start.
Others have mentioned identity verification both in this thread and in the past. I'll concede to those more knowledgable on the topic than I am but this seems like an area that has made great strides in recent years. I'm not really sure how much of a viable option this is? Maybe someone else could go more in depth on this? It might be the answer? I think Vjek may have talked about this before if I am remembering correctly? Restricting account purchases from certain countries has been brought up before as a way to negate a lot of the problem... from China specifically.
You brought up decreasing spam as a limiting factor. Free to play accounts are generally brought up as a concern in this discussion. We have been told Pantheon will be FTP until lvl 10. Whether they put all of the free to play on a single server or not doesn't really solve the problem, but it makes it easier to shoot the fish when most are in the same barrel.
Maybe a team of volunteer bounty hunters...err guides...to suss out those involved would help? Offering incentives to players who end up reporting confirmed gold buyers/sellers could make a small difference? Community matters ...rat out your guild mates >:)
We all understand there isn't one overarching solution and honestly there are multiple threads on this already. Kils did a good job fishing on this one. Its a good topic to encourage community interaction.
----------------------------
Tangent:
All the RMT talk has made me think about the infamy system. Allowing guilds to spawn raid mobs on their own time, basically uncontested, will make it easier for RMTs to happen with loot from those mobs even if it is no drop. It's not quite as easy as instanced circumstances...but it's close. I guess the simple solution is to make players wait an extended period of time after they join the guild before they can loot anything from these "infamy spawned mobs". Which would then require a flag that differentiates the infamy spawned mobs compared to the standard spawned mobs. It seems like an easy fix...just something to be considered. I'm thinking out loud.
Free Accounts need restrictions. And they should have them either way. People expect restrictions on a demo. No issue with that.
Spyware on my system is likely not something I would love to have, since I know how to circumvent it as a developer myself,... and I know bot users have the same knowledge. It is basically an arms race that VR can't win.
It is however not all that hard to use AI to detect bots and sanity check them with "normal" methods. If both react, a popup would flash in the VR headquarter, they jump in, verify the bot and hit the ban hammer. Since accounts cost upfront + monthly fee, this would happen a few hundred times and bots would stop. Just have to make sure the system is fast enough so they can't farm more than the upfront cost before they get banned. Time spend leveling / gearing the account can also be an issue for the botter. Basically an easy fix, without an arms race, with todays knowledge and AI (again, combined with traditional methods AND human verification to prevent the Amazon szenario).
Spam has the same fix. So many great AI tools to combat spam. We are WAY past simple word filters / triggers and a few dots, spaces or fancy symbols are not fooling AIs (or more sophisticated algorithms) anymore.
I prefer AI for these two solutions, since you can retrain these solutions as you see fit. Bots will try to adapt, so the system in place needs to adapt as well. Fixed solutions can be circumvented (like spyware on the system of all players). AIs are instated once and can be trained on the data VR collects while the system is working. If players report a few more cases, the retraining to the new situation is easily done with very little effort, without changing the underlying system. This could be automated as well, so the moment 5 bots get reported, the AI gets an automatic retaining on those cases, adding to the model. After about a year a full retaining and NEW model would make sense to have a more robust base.
And I am quite certain that the brunt of RMT issues will be gone with just these solutions, combined with Upfront costs + monthly fee. If they add identity verification that would be a TREMENDOUSLY helpful added layer as well. Depending on the country, people expect that anyway, ... but the US is likely the biggest market for VR. And US people are hard against identity verification. They sure sound like it would be the end of the world. So,... not sure if that is an option VR can take, without hurting the bottom line. It is certainly one of the best options to help with RMT, since they would ban the PERSON behind, not just one of the hundreds of accounts said person could have.
philo said: ... Others have mentioned identity verification both in this thread and in the past. ...
IMO:
To provide more context to that topic, I'll offer this:
Practical security is a trade-off between convenience and security. A 100% secure system is air gapped, never turned on, and no-one ever uses it. Not particularly convenient. From that to 100% convenient & insecure is the grey area of the real world we live in.
So, if you want to determine who someone is online, there are several options, today.
A method that is used by several NA/EU FI's is to establish a level of trust based on source, and it goes something like this..
If the source (publicly routable IP address) has never been seen before, it is completely untrusted.
It may, as a consequence be redirected to a local and/or best effort service offering, until some level of trust is established. A simple example of this is google requiring you to provide some level of additional authentication information if you login to your gmail account from a different country, for the first time. Once you prove you are you, then after that, you don't have to do that again, until that trust level expires. This is trivially demonstrated by using a proxy server of any kind.
How that trust is established varies by the service. In some cases, interactive elements on the page presented and responded to, in some form or fashion may provide inherent trust. Your country relative to the service country may provide inherent trust, or not. Are you on the list of HRNs, from the perspective of the host nation? Is the GeoIP for the source a residential address, or not? Is it a mobile network, or not? Maxmind provides many of these details, instantly (via a local GeoIPv2 db lookup). So that part at least is very easy (and cheap and fast).
Once any non-zero level of trust is established (that is, the connection is ultimately a real human) then you might let the connection attempt authentication (logging in/on).
Now, at this point, I can say for a certainty (because I've implemented such systems) that most of this happens every day all day for most of you, and you've never noticed or cared, because it's all instant and transparent. You live in a country, and you use a bank in that country, online. No big deal. You've been a customer before, so you just bring up the site in your bookmarks, or on your phone, go there, maybe have to type credentials, maybe not, because they're cached or stored locally in your browser, and login. Totally normal, nothing unusual.
The challenge begins when people outside your country want to use your service in a secure fashion. In some cases, if the scope of customers is narrow enough, what possible value is there in accepting connections from countries that there is 100% absolutely no chance anyone there could ever be your customer?
As a simple example: You provide silage (livestock feed) to your county farmers. You don't ship or deliver. People must come to you, and you only sell to locals. You only provide one round bale per day per person. (or whatever other limit).
Ok, so. Why do you allow Russia, Canada, Brazil, Portugal, China, or in fact, any other nation, to reach your web server? What possible value is there in that? Arguably, very little. :D
A mitigation strategy, then, for you, the silage provider, would be to initially only accept connections from your country. Maybe that's sufficient, maybe not. If you wanted to limit your risk to people in your county, then you can. You can check the incoming IP address, instantly GeoIP locate it, and determine if it's within your county. Everyone else, maybe they get redirected to a page that says "Thank you for your interest, this website is limited to use by citizens of country XX in county YY". No harm, no foul. Reasonable mitigation. Every is happy, low risk.
Again, it's important to point out: This has been possible, trivially, for more than 15 years, for anyone. In fact, there is and has always been a free version of the Maxmind GeoIP database. Anyone can download it and use it locally. Local GeoIP resolution takes a few micro/nanoseconds. It does not significantly contribute to interactive latency under any conditions.
So, if an MMO provider chose to use GeoIP as a limit for regional servers, setting aside VPN/proxies for the moment, they could. It would handle most use cases for law abiding customers or customers willing to follow your guidelines.
If you only ever had one customer use one IP address, well heck, problem solved, right? Sure, if only. Again, the grey area of reality is, not so much. Now John and Jane Doe both want to play your MMO from the same house. Two computers, one publicly routed IP. Ok, so in order for them to play together, you have to establish trust, and it can't be just based on GeoIP, if your policy is to forbid more than one MMO client to connect from one IP address. (to prevent multi-boxing and/or botting, yes, I know the difference)
That's where identity verification comes in, and requires one extra step, and one extra policy. The policy is: If you want to play on our 'trusting' servers, you must use a credit card.
As a consequence, when the person creates their account, you get their first and last name, and in the TOS/EULA you require them to acknowledge that first and last names must 1) never change and 2) always match the billing information of the credit card. Easy policy, nothing strange or weird. If you permit name changes, then this is all a waste of time and effort, because you've now enabled account transfer & sale.
If you're unwilling to have such a policy, step back, hang your head and accept your fate.
If you are willing to have such a policy, then the second step is a Credit Card Address Verification Service. This is also something that happens every time you use a credit card online to make a purchase, but typically without the GeoIP component because online vendors just want to sell you stuff, they don't care about MMO client concurrency. Once the CC AVS check is performed, based on the address of the provided credit card and your current GeoIP result, voila, identity established. You are that person, or at the very least, in their house/at their address using their name, computer and credit card information. :D
So, what if you're not at home, temporarily? Fair question. In conjunction, as an optional feature, AFTER verification has been established at the home location, it may be possible to use an RFC 6238/4426 TOTP to establish identity. But, there are two critical policy decisions that have to be made before hand. 1) Do you trust email? Y/N 2) Do you trust SMS? Y/N. Ideally, the answer to both of these would be no, and the TOTP enrollment would happen entirely via the already established secure communications channel of you setting up your credit card and having GeoIP + AVS done during login to the account/billing web site.
If that is true, then you can go ahead and enroll that customer with a TOTP secret. Google and many other companies already do this as a secure form of Two-Factor-Authentication (2FA) which does not rely (at all, in any way) on email or SMS. The fact that many people put it on their phone is unrelated to email or SMS. It does not require or rely on either email or SMS.
I'll say that again for clarity, so people don't misunderstand: Google Authentiator does not rely on SMS or email, at all, ever, in any way.
Once the customer is enrolled with a TOTP secret, you can then temporarily permit them to temporarily add a publicly routable IP to their account, for vacation, or deployment.
Then, whenever they login once abroad, they must provide the current TOTP provided via their TOTP app, which changes every 30 seconds. (there are many/free ones)
However, it's worth noting that a sufficiently malicious person could abuse this service exception, so it's not something that should be considered by default. A mitigation strategy for abuse is to only permit one additional state, province, or country to be temporarily added as an exception beyond the home location for a specific timed duration that can't exceed something like 30 days per year, and that the TOTP must be entered for every login, in addition to a password. What does this mean in practice? Once enrolled, if your location changes, you enter the TOTP to confirm your identity. Just like many current service providers offer today (like Google). Once your vacation is over, you can only use the service from home.
Again, for emphasis: Permitting alternate temporary 'trusted' locations WILL be abused if permitted.
On the other hand, it may simply be easier to have a different service level agreement for deployed/travelling customers, and require they use a different type of server that meets their needs, where this GeoIP + AVS check is NOT performed or required. (such as a multi-box friendly server)
In practice, there is no additional software required on the part of customers to participate in a GeoIP + AVS check on login. If you're willing to require a regionally-issued credit card for customers to play on a regional no-box server, it's a pretty low barrier to entry. Personally, I would use my CC to play a game where I would be certain each character was a real living human, and not a box or bot (yes, I know the difference).