Thanks to the decentralized nature of the puzzle development, the Portal 2 ARG had a truly astonishing variety of puzzles. For the sake of brevity, I'll attempt to categorize the puzzles to talk about what worked well. For specific descriptions of the puzzles, I suggest further reading at the fan wiki and the previously listed postmortems written by the individual developers.
Cryptography and Steganography. Cryptographic puzzles are a mainstay of ARGs. They can have a wide range of difficulties and may require players to apply class cryptology, data compression and analysis techniques to translate data into something useful. Encodings may use Braille, Morse code, ASCII, zip, bit manipulation, image manipulation, frequency analysis, etc.
Cryptographic messages may be used in tandem with steganography, which literally translates as "concealed writing." Codes may be hidden in text, images or audio files. For instance, the Seattle location images revealed in Phase 2 were hidden in the usually-invisible alpha channel of other images.
Expert Puzzles. These are puzzles that require a lot of domain-specific knowledge to solve. They are designed to be solved by one individual who is an expert in a particular game. Expert puzzles may require a player to observe a subtle change in the game universe or to solve a puzzle that would be difficult or impossible for a novice player.
These puzzles work well for leveraging a game's core fan base, which is uniquely qualified for the challenge. These types of puzzles tend to get completed fairly quickly with little fanfare.
Community Puzzles. Some puzzles require a large community working together in unison. For instance, the physical locations that were revealed in Phase 2 needed to be accurately plotted on a map of Seattle. This involved quite a bit of walking around Seattle or perusing Google StreetView to find the exact locations where the photographs were taken.
Social Puzzles. Defense Grid had some particularly interesting puzzles that were easy to solve, but only a select subset of players were given the tools needed to solve them (based on a hash of their Steam ID). As a result, the players rallied together to try to find the individuals they needed, resulting in a tighter social community. In general, these types of puzzles were relatively easy to create, took some time to solve, and were popular with the players.
Elusive Puzzles. With an ARG, it can be tempting to have puzzles with vague objectives that are simple to solve in the hope that, with the sheer volume of players, someone will stumble on the solution. This type of puzzle was the least popular type. If a puzzle doesn't have a clear objective, players tend to find it too frustrating. One simple fix for this problem is to have a way to indicate partial completion so that even if a puzzle requires a lot of experimentation, players know when they're headed in the right direction.
We knew hacking was inevitable, but we didn't realize just how much of an issue it would be. Michael Austin at Hidden Path has a passion for software security, so he played the role of the security expert and suggested precautions that we should each take with our own code.
As for his own code, Michael explained, "I went crazy with security." Not only did he put ample security in place, but he also wrote code that would notify the server whenever it appeared that a player was attempting to circumvent the security measures. "Everything got triggered... every single security measure I put in got hit."
Anticipate. Every time a new content revision is released, we came to expect that at least one hacker would run a full binary diff off the new version to see what's changed. This can make it easy for them to track down new textures our audio files that may contain clues that are supposed to be revealed in the game. A binary diff will also quickly reveal unencrypted strings that are hard-coded into the game's binary.
For many of the puzzles, players needed to a URL to a website hosted on Valve's servers. To make sure that these URLs couldn't be trivially shared between players, Valve set up a system that allowed us to hash the player's Steam ID on the client and verify the hash on the server. Even with this in place, some of these algorithms were hacked by the end of the ARG.
Defensive Strategies. At the very least, programmers should obfuscate strings that could be useful to a hacker. We shared some code between development teams, but for the most part, we encouraged each team to use their own encryption methods to make it harder for hackers to apply their findings in one game to another game.
The Hidden Path team came up with some particularly creative anti-hacking measures. For instance, one strategy is to look for unusually long frame times -- something that would usually only be triggered by a hacker stepping through the code. If this was detected, they had a subroutine that would corrupt all of the important keys so that they were useless to the hacker.
One important aspect of all cheat-detection strategies is to stay silent if cheats are detected. Alerting a hacker may suggest to her that she's playing a legitimate metagame and may encourage her to try a different approach.
Misdirection. For the most part, we tried hard to never lead players on a wild goose chase. That being said, if someone is hacking, they deserve a red herring (or in one case, a Rickroll). Encrypt the important strings in the binary, but throw in a few extras that point to other, unrelated ARGs.
Vocal Minority. The good news is that cheaters, though problematic, are a small minority. One hacker published a way to earn potatoes just by clicking a few URLs that bypass the usual security. Valve tracked this on their end and found that only 1.3 percent of the total potatoes were earned this way. Valve later quietly revoked all of those rewards.
For some people, the journey is its own reward. But let's be honest, most of us at least want a souvenir.
The 36 potatoes that players could earn served as a popular status symbol for tracking player progress in the ARG. They were difficult to obtain through hacking, which kept their value high. To those who earned all 36 potatoes, Valve awarded their Complete Pack with every game that Valve has ever made.
In addition, the developers who were carefully monitoring the fan wiki and IRC channel hand-selected specific individuals who we thought had made a big contribution to the ARG. For those who are under 21, Valve sent a hefty pile of schwag. The others were flown to Valve for the Portal 2 launch party on April 18.