Per default, anybody can connect to any connection with any user if they simply know the gameid and connectionid. Since this is insecure, you can specify that connections require authentication via a secret key.
Unless you set up your own server to use a secret key or use a 3rd party login system there is nothing stopping someone from connecting with the UserID of ‘simpleHighRankedPlayerGuy’ or ‘simpleAdminMan’ and being treated as though they were that player who had logged in with that player's password.
From my understanding a simple solution would be a connection option to simply disable connecting using the Connect() method and require that a client must use simpleConnect() or one of the other validated methods of connecting. Similar to how you have the option to require a Email when registering, you would just be requiring a password to connect. If user decided to play as a guest the client would connect with a UserID of “Guest” and a public, pre-set password. Now someone cannot login with whatever userID they want unless they also know that user's password.
Right now I cannot figure out a way with the current options of avoiding a server without compromising security and I believe adding this option would be a valuable feature.
Please correct me if I misunderstood something about user verification or the documentation. I am in no way very knowledgeable on this subject. Hopefully this is a viable, easy to implement feature. If not… well I’ll have to figure something else out or just accept that my game is not secure without a separate server. I just thought I would make the suggestion