question

brendan avatar image
brendan asked

User login flow

Question from a developer:

Here's my proposed login flow - can you let me know if you see any issues with this?

  • User signs in on an iOS device using LoginWithIOSDeviceID
  • User signs up with AddUsernamePassword (I am going to assign them a password. They will only have to put in an email)
  • User loses their device or gets a new one
  • User logs into game (this would be a new account with LoginWithIOSDeviceID) and sends a recovery email with SendRecoveryEmail
  • I will send them their password
  • User uses password in their login with LoginWithEmailAddress
  • If successful, they are now on their old account. I will then link their new device id to their old account.

When testing, one thing that came up was that I couldn't unlink one of my test devices. Is this because I am not "logged in" as that user? Also, if I link a device id to one account, will it automatically unlink the device from the last account? Because if it doesn't how does PlayFab know to login a user to which account?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

·
brendan avatar image
brendan answered

Well first, I'd recommend providing the option to sign into the old account as part of the user flow, so that they can get to their old account right away, rather than going through the password reset process. And to be clear, we do not send out passwords. Any service that does that is one you should discontinue using immediately. If they can send you your current password, that means they're storing it in plaintext somewhere, which is horrifyingly insecure. All our passwords are stored salted and hashed, so that it's impossible to reverse that to get the actual password. Other than that though, the general outline looks fine, and is close to what we recommend in our best practices write-up: https://blog.playfab.com/blog/first-impressions-count-best-practices-friction-free-player-authentication/.

Finally, when it comes to the Client API, the only things you can call without a valid session ticket are login and password reset. You cannot unlink an account if you're not signed into it, for security reasons. But yes, if you use ForceLink to link a new account to a Device ID, that will remove the Device ID link from the original account.

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.