question

This is a tricky question. Anonymous login can cause abusive uses and it cannot be completely avoided, however one thing you can do is to increase the time cost for the users (I will offer an example).

We usually do not suggest using Custom ID because it is not safe enough and players should not be able to input custom ID on their own. Generating random custom ID is a solution while for mobiles devices, LoginWithIOSDeviceID and LoginWithAndroidDeviceID are recommended because the device ID is unique.

You have mentioned that it is a website game. When player starts the game for the first time, there should be data to download and cache locally. You can config that if player wants to sign out and is about to create an another anonymous account after he has logged in, the all cached data should be deleted and re-download(user login information is with cached data). This will take some time and reduce the frequency of creating new accounts. In addition, you should not expose deleting data option on the GUI, which means players have to manually delete. Some Japanese mobile games are using this method to prevent players creating starter accounts but generally speaking, it won’t work efficiently. People always get ways to generating starter accounts if they want.

Thus, if you want to avoid abusive uses to some extent, another method is not providing anonymous login. Register processes should be required and no matter using username/email or logging with 3^rd party platform accounts (Facebook, Google, Apple…), they will all improve the situation.

I have a related question to this one.

I would like to use PlayFab to track user engagement via events with the client API, but to avoid dealing with the more complicated parts of the General Data Protection Regulation GDPR in the EU I would like to keep the tracking unrelated to personal information of the user. Hence I would use authentication via CustomID with an unique and static device-id from the user's device + CreateAccount enabled.

But wouldn't that mean that anyone who found out my game's PlayFab Title-ID (via reverse engineering etc.) could then use any of the PlayFab SDKs to start spamming events to maliciously skew/invalidate analytics or try to hit the event rate-limit for the used pricing plan?

Thanks

,

I have a somewhat similar question.

I am most interested in using PlayFab to track the occurance of certain events on the client (analytics), ideally without relating the data directly to personal information of a user (because of the General Data Protection Regulation GDPR in the EU this is really important)

My understanding is that I can do this by posting events authenticated only via CustomId based on some unique device-id.

But now my question is, if a user were to find out (by reverse engineering the client program) the PlayFab Title-ID of my game, wouldn't that mean that they could just download any PlayFab SDK and start spaming / abusing the client API ?

For smaller player-bases this could be done to maliciously skew the data or the intent could be just to reach the event-rate limit.

Am I missing something? Can this be prevented while still maintaning the requirement for anonymous tracking/analytics ?

Thanks