A day or two after Pok√©mon Go came out, I decided to give it a try, so I downloaded and launched the game. (The iPhone version of the game, to be specific.) And, after being asked to enter my birthdate, I was given a choice of registering with a Google account or a Club Pokemon account. I didn’t think about it too hard, I simply clicked on the latter.

This put me at a screen with username/password fields and with buttons below to log in or to register a new account. So I went over to 1Password, and created a random password. Then I switched back to the app, typed in a username that I hoped wasn’t taken, and went to paste in my password.

Unfortunately, the password dialogue didn’t support paste! That was pretty annoying, but I was sitting at my computer, so I opened up 1Password on there, told it to display the password in large type, and went to type it in. At which point I discovered that the app displayed the characters that you typed as stars immediately, instead of showing you the last character that you typed; which meant that, unless I paid very close attention to the keyboard, I wasn’t very likely to accurately type in a random 30-character password. I tried to be careful; who knows if I succeeded, because when I finished and hit the “register” button, I was presented with an error screen on Club Pokemon.

Setting that error screen aside, my reaction here was: they went to the extra effort of implementing a custom control instead of using a standard password entry control, and came up with a control that was significantly worse than the standard one in two separate ways! That did not impress me too much. Thinking about it a bit more, I think that analysis is a bit off: it’s a cross-platform game, which means that the UI is probably implemented in a way that uses relatively few platform-native elements. So I’m not so convinced any more that the choice they made was more effort than using the standard iOS password box would have been, but the outcome was certainly worse.

 

After that failure, I still wanted to play, so I logged in with a Google account. I was a little surprised that I didn’t see a screen listing what permissions I was granting to the app; as events of the subsequent days showed, I was right to raise my eyebrows at that one. (If only I’d written this blog post on Sunday instead of tonight I would have had a Hot Take, or even a Hot Scoop! Ah well.) That worked fine, so I went out and, after a bit of effort (the game is not much for tutorials!) caught my first Pokemon.

But the next time I launched the app, I was told to log in again. This raised two problems / questions:

1) I just wanted to play a game, I didn’t want to switch over to 1Password, type in a long passphrase (and then type it in a second time when I made a typo), copy a password, switch back to the game, paste it in, then switch over to the two-factor authentication app, remember the number shown there, switch back to the game a second time, and type it in. Doing that once a month might be okay, but doing that on a regular basis is absolutely not okay.

2) Why on earth was the game asking me to re-log-in again, anyways? What happened that it lost my credentials from the first time I logged in?

I still don’t have a good hypothesis for that second issue. It did raise the question of where the credentials from the first time I logged in are stored, though: are they on the device or are they on Niantic’s servers? I would normally assume the former, but if it’s the former, I don’t see why they would go missing (though I certainly would never want to underestimate the possibility of bugs); so I guess I think it’s more likely that they’re stored on the server, and that their protocol doesn’t distinguish between “generic server connection / overload error” versus “response from the server saying that it got the request and is accurately responding that it doesn’t have the login credentials”? Who knows, though.

 

That latter possibility combined with the lack of specificity into what permissions I’d granted the app were pretty disturbing. And, of course, like I said above, constantly re-entering my Google creds was a pain on a purely practical level.

And, while thinking about this more, I started to wonder: the game is getting mapping data from Google, it has my Google creds, and it’s doing pretty weird stuff. What are the chances that it’s using my creds when talking to Google for mapping info, giving Google location information about me? Honestly, the answer is probably that the chances are pretty low, given that the Club Pokemon account code path can’t do that. But by this point I don’t have much faith that Niantic is doing anything correctly—I’m pretty sympathetic to them for having server problems arising from the game being the biggest smash hit I’ve seen in ages, but I’m also seeing enough signs of strangeness that I don’t feel like I can accurately predict what they’ll do. In particular, given the game’s Google / Ingress roots, there presumably was once code in there that always could assume you had a Google account, so it wouldn’t shock me if vestiges of that remained in the map communication. Not that I’m 100% against Google having location information about me, but all things being equal, I’d prefer for that not to be the case.

 

With all of this weirdness and with a bit more time to think about it, I decided that I didn’t want to use my Google account after all; yes, it meant that I couldn’t jump on the bandwagon immediately, I’d have to wait until I won the “am I allowed to create a Club Pokemon account” lottery, but that’s a pretty small price to pay. So I deleted and re-installed the app, revoked the app’s creds from my Google account, came up with a short password to use that I wasn’t using on any other account, and tried every few hours to register until I was allowed to. (Which took about a day and a half.)

At which point I learned something else unfortunate about that Club Pokemon login/registration screen: the values that you enter there are ignored in the registration path! Oy. (So: maybe I could have gotten away with a 30-character random password after all.) At least the Club Pokemon website is, well, a website, so it has standard UI elements; the only problem there is that they didn’t mark the various fields with the magic “don’t autocapitalize / autocorrect” attributes, which was a bit annoying: my e-mail address does not in fact start with a capital letter.

After that, though, it’s been smooth sailing: the game and its servers have issues, but it does at least reliably remember who I am.

Post Revisions: