If you have your online service id and token as part of the login and they have information that could only come from the online service (nonce, server token, etc.), then you can assume for a bit that the user is legit, so accept the login request and kick off an async request to validate they are legit/read their data. Once that data comes back, then you can spawn them into the game. Until you have that data, just make them spectators or whatever fits your game design.