question

Best Answer
Brendan Vanous said on Fri, 18 September 2015 at 6:50 PM

The user can change his password, by triggering a password reset email, which is a Client API call. Email address changes are actually extremely unusual for game services in general - you'll note that there's no way to do this in Xbox Live or Playstation Network, for example. However, you (the developer or publisher of the title) do have the ability to change the user's email address, both via the Admin API and the Game Manager if you need to, enabling the customer service scenario where someone needs their email address changed and is able to reliably show you that they are the legitimate owner of the account.

To be clear, our original stance on this dates back to when we had all the accounts in a single user space, which was a design chosen to enable a range of features for titles around shared data (think of the way Apple uses the advertising ID for players - the intent was to provide the functionality that enables to all titles). Since then, we updated the service so that all Studios are assigned Publisher IDs on creation, and those Publisher IDs are used for their titles, so that they can share data across their titles and have a distinct space for their users which is not shared with any other publisher. Given that, a user change to password or email would only impact a single publisher's users, now. However, we are working with some publishers who have many distinct developers working on titles in their Publisher ID, which presents a risk that publishers may not be find acceptable.

So I'm glad you brought this topic back up: I'm going to add an item to the backlog for us to re-consider this functionality. To set expectations realistically, it's likely that this would need to wait until we add the Publisher level of control to the Game Manager, so that different developers working for a publisher can't cause problems for each other.

Brendan

---

4 Comments
Brendan Vanous said on Thu, 17 September 2015 at 7:10 PM

Giving the client the ability to change the password or email would create a significant security risk to titles that we would prefer to avoid. Right now, the client can call https://api.playfab.com/Documentation/Client/method/SendAccountRecoveryEmail to allow the player to change the password. Email addresses may be changed by a trusted member of your team (or a customer service rep working for you) via the Game Manager, on the Players view for the user account.

We would strongly encourage giving users as many different options for how to "complete" their account with something more reliable than a Device ID, including all the options you mentioned. That would allow players to choose what works best for them (or what they like most).

Brendan

---

he2 said on Fri, 18 September 2015 at 2:37 AM

I perfectly understand the significants security risks. But it's also very strange for a user to not be able to change his email or password. I unfortunatly can't explain to a player that he can't change his email address, even if we have good reason to do it :)

I'll try to find a solution with the ability to link the account with facebook or g+

And what about Client/UpdateUserPassword(OldPassword,NewPassword) ? Almost every website/soft are doing this.

Anyway, thanks for all your answers and the time spent to resolve this problem !

---

Brendan Vanous said on Fri, 18 September 2015 at 6:50 PM

The user can change his password, by triggering a password reset email, which is a Client API call. Email address changes are actually extremely unusual for game services in general - you'll note that there's no way to do this in Xbox Live or Playstation Network, for example. However, you (the developer or publisher of the title) do have the ability to change the user's email address, both via the Admin API and the Game Manager if you need to, enabling the customer service scenario where someone needs their email address changed and is able to reliably show you that they are the legitimate owner of the account.

To be clear, our original stance on this dates back to when we had all the accounts in a single user space, which was a design chosen to enable a range of features for titles around shared data (think of the way Apple uses the advertising ID for players - the intent was to provide the functionality that enables to all titles). Since then, we updated the service so that all Studios are assigned Publisher IDs on creation, and those Publisher IDs are used for their titles, so that they can share data across their titles and have a distinct space for their users which is not shared with any other publisher. Given that, a user change to password or email would only impact a single publisher's users, now. However, we are working with some publishers who have many distinct developers working on titles in their Publisher ID, which presents a risk that publishers may not be find acceptable.

So I'm glad you brought this topic back up: I'm going to add an item to the backlog for us to re-consider this functionality. To set expectations realistically, it's likely that this would need to wait until we add the Publisher level of control to the Game Manager, so that different developers working for a publisher can't cause problems for each other.

Brendan

---

he2 said on Sat, 19 September 2015 at 3:12 AM

Thanks for the answer, the time spent on it and your consideration ! (I might even add, as usual ^_^)