I'm curious about what the process is for anonymously authenticating users when it comes to mobile games. There are quite a few examples out there, but the ones that immediately come to mind are Lords Mobile, Family Guy: Quest for Stuff, and Clash of Clans. When you first open the game, you're assigned an account id and that id is tied to your device until you choose to register an account with a password or sign in through some SSO service.
In that initial step where you're not creating a password or using SSO, how are these games making sure the requests are from both the user/device that they come from? Or is it that they actually don't?
I can imagine a simple setup where you're providing a key that needs to be refreshed every now and then just like you would with something like OAuth, but other than that you don't care that the user is who they say they are. After all, you're dealing with a request that already has to be validated for legality within the game rules.
