Romanian Cyber Security Journal / Spring 2026, No. 1, Vol. 8

A Structured Security and Privacy Assessment of Unity Authentication for Immersive Applications

Mihnea-Vlad NICOLAE, Ionuț-Andrei MOCANU, Răzvan-Alexandru DUȚESCU, Cătălin-Andrei NICULESCU

---

Abstract

This paper presents a structured security and privacy assessment of Unity Authentication approaches for immersive applications, with emphasis on Unity Player Accounts, OpenID Connect, and Custom ID sign-in. The study combines documentation analysis, prototype implementation, and Wireshark-based traffic observation to identify developer responsibilities and practical integration risks. The analysis focuses on trust boundaries, token handling, account linking, session persistence, backend hardening, service-account protection, and GDPR-relevant data processing. A Unity XR prototype was implemented to examine the Unity Player Accounts sign-in workflow and to identify authentication-related network endpoints during passive Wireshark observation. The results show that HTTPS/TLS protects authentication payload confidentiality during passive capture, but observable metadata still reveals infrastructure dependencies and identity-provider involvement. The paper argues that the main security risks in Unity-based authentication are implementation-level weaknesses rather than transport-layer exposure. The contribution is a reproducible assessment framework and a set of practical recommendations for integrating Unity Authentication securely and privacy-consciously in metaverse and XR environments. Unlike prior work that addresses metaverse authentication at a general level, this paper focuses specifically on Unity Authentication as a commercial game-engine identity layer and evaluates its integration risks in an XR prototype.

Keywords

Unity Gaming Services, User authentication, Service account protection, Custom ID sign-in, Identity management