Smurf & ban-evasion control at signup
Kernel anti-cheat (Vanguard, EAC, BattlEye) watches the running game; it doesn't stop a banned player making a fresh account on the same machine. Bind the account to the device at signup: a hardware identity is far harder to spoof than a disk-serial HWID, and it works before the game even launches.
Where it sits
Root Herald is the identity layer underneathyour anti-cheat, not a replacement for it. Anti-cheat = "is the running process clean?". Root Herald = "is this the same device that we banned last week?" and "is this 1 device or 40 smurf accounts on 1 device?".
- On account creation, the launcher/client collects an opaque
evidenceblob (over a nonce your server minted), with no keys on the client. - Your backend calls
rh.verify()server→server, gets a stabledevice.ueidback directly. - Check it against your ban list and your per-device account cap; store it against the new account.
- Optionally re-appraise on launch and on ranked-match join to catch device swaps mid-life.
import { RootHerald } from "@rootherald/node";
const rh = new RootHerald({ secretKey: process.env.RH_SECRET_KEY! }); // rh_sk_…
// Earlier: rh.issueChallenge() -> relay nonce to the launcher.
// The launcher quotes over it and posts back { challengeId, evidence }.
const verdict = await rh.verify(body.evidence, {
challengeId: body.challengeId,
policy: "rootherald:builtin:strict-hardware",
});
if (verdict.device.verdict !== "pass") return forbid("device_check_failed");
if (await banList.hasDevice(verdict.device.ueid)) return forbid("device_banned");
const count = await accounts.countByDevice(verdict.device.ueid);
if (count >= MAX_ACCOUNTS_PER_DEVICE) return forbid("too_many_accounts_on_device");
await accounts.create({ ...input, deviceId: verdict.device.ueid });Policy
Use rootherald:builtin:strict-hardware-permissive-mobile if you ship on mobile: it accepts Android TEE (not just StrongBox) and macOS Secure Enclave, which keeps legitimate phones from being false-positived, while still rejecting emulators and cloud vTPMs (the BlueStacks-farm and cloud-gaming-VM cases). Desktop-only? The defaultstrict-hardware is right.
emulated-swtpm or mobile-android-software is exactly the smurf-farm signature. Under a strict policy it fails the check; under a Warn policy it comes back with verdict: "warn" so you can shadow-ban or queue for review instead of hard-blocking.