Skip to content
Guide · Games

Smurf & ban-evasion control at signup

Kernel anti-cheat (Vanguard, EAC, BattlEye) watches the running game; it doesn't stop a banned player making a fresh account on the same machine. Bind the account to the device at signup: a hardware identity is far harder to spoof than a disk-serial HWID, and it works before the game even launches.

Where it sits

Root Herald is the identity layer underneathyour anti-cheat, not a replacement for it. Anti-cheat = "is the running process clean?". Root Herald = "is this the same device that we banned last week?" and "is this 1 device or 40 smurf accounts on 1 device?".

  1. On account creation, the launcher/client collects an opaque evidence blob (over a nonce your server minted), with no keys on the client.
  2. Your backend calls rh.verify() server→server, gets a stable device.ueid back directly.
  3. Check it against your ban list and your per-device account cap; store it against the new account.
  4. Optionally re-appraise on launch and on ranked-match join to catch device swaps mid-life.
signup handlerts
import { RootHerald } from "@rootherald/node";

const rh = new RootHerald({ secretKey: process.env.RH_SECRET_KEY! }); // rh_sk_…

// Earlier: rh.issueChallenge() -> relay nonce to the launcher.
// The launcher quotes over it and posts back { challengeId, evidence }.
const verdict = await rh.verify(body.evidence, {
  challengeId: body.challengeId,
  policy: "rootherald:builtin:strict-hardware",
});
if (verdict.device.verdict !== "pass") return forbid("device_check_failed");

if (await banList.hasDevice(verdict.device.ueid)) return forbid("device_banned");

const count = await accounts.countByDevice(verdict.device.ueid);
if (count >= MAX_ACCOUNTS_PER_DEVICE) return forbid("too_many_accounts_on_device");

await accounts.create({ ...input, deviceId: verdict.device.ueid });

Policy

Use rootherald:builtin:strict-hardware-permissive-mobile if you ship on mobile: it accepts Android TEE (not just StrongBox) and macOS Secure Enclave, which keeps legitimate phones from being false-positived, while still rejecting emulators and cloud vTPMs (the BlueStacks-farm and cloud-gaming-VM cases). Desktop-only? The defaultstrict-hardware is right.

Note
A device that classifies as emulated-swtpm or mobile-android-software is exactly the smurf-farm signature. Under a strict policy it fails the check; under a Warn policy it comes back with verdict: "warn" so you can shadow-ban or queue for review instead of hard-blocking.