Offline mode is a legacy feature of Minecraft servers that disables the requirement for Mojang user authentication, allowing cracked Minecraft clients such as TLauncher et al. to join.
It can be set by either passing the
--singleplayer flag to the server jar or setting
online-mode=false in server.properties. However, there are several risks, legal and especially security, which will be covered on this page.
Reasons not to use offline mode
Due to the lack of authentication required on an offline mode server, anyone can use any username to log in - this especially comes into play when players join as certain names to either gain operator permissions or to relentlessly evade bans.
AuthMe is a plugin for Bukkit servers that coats an insecure offline mode server with a thin veil of ‘authentication’, which partially mitigates these vulnerabilities at most - however, other plugins or mods still may provide operator access. Such authentication plugins may prove an annoyance to players, an incentive to use weak passwords which then can be hacked into by malicious players - completely destroying the objective of these plugins.
Using offline mode on your server may also cause plugins that rely on UUID lookup to break - each ‘account’ has its own unique UUID, which can cause issues breaking many mods or plugins.
When switching between modes, this becomes even more of an issue - plugins will have stored data in one format, and changing from online to offline or vice-versa will make them default to the respective format and effectively break all existing user data
Offline mode (cracked) servers are commonly a breeding ground for piracy of Minecraft, which may constitute a violation of their EULA, specially their One Major Rule. This may prove a problem for larger servers, as Mojang may blacklist clients from connecting to them for common EULA violations such as pay-to-win mechanics et al.
Valid Use Cases
However, there are a few valid use cases in which offline mode can be used without such implications. They will be listed below:
- Proxies such as BungeeCord and Velocity which require backend servers to have online mode disabled - the proxy must have online mode enabled for this to count
- Offline local-hosted environments which lack internet access, assuming everyone owns a Minecraft account otherwise
- Local-hosted development servers for testing plugins and mods