Microsoft Azure PlayFab logo
    • Multiplayer
    • LiveOps
    • Data & Analytics
    • Add-ons
    • For Any Role

      • Engineer
      • Designer
      • Executive
      • Marketer
    • For Any Stage

      • Build
      • Improve
      • Grow
    • For Any Size

      • Solo
      • Indie
      • AAA
  • Runs on PlayFab
  • Pricing
    • Blog
    • Forums
    • Contact us
  • Sign up
  • Sign in
  • Ask a question
  • Spaces
    • PlayStream
    • Feature Requests
    • Add-on Marketplace
    • Bugs
    • API and SDK Questions
    • General Discussion
    • LiveOps
    • Topics
    • Questions
    • Articles
    • Ideas
    • Users
    • Badges
  • Home /
  • General Discussion /
avatar image
Question by HDUmi · May 27, 2019 at 06:02 AM · Account ManagementTitle DataPlayStreamwebhooks

Help me answer questions about MAU, PlayStream and Webhook

Hi PlayFab Support,

I have some questions about the PlayFab system.

1. About MAU Calculation: Users who log in once a month are counted as 1 MAU. What happens when people with malicious intent get the Title ID code and register a large number of accounts in my system? Will all accounts and visits count as MAU ?.

2. Does Playfab have a mechanism to remove fake MAU?

3. Is there a mechanism that limits the number of registered accounts per 1 IP / hour? I used firebase, they allow to limit the number of accounts created on 1 IP / hour

4. How can I limit some countries to not use my service?

5. Can the RegisterPlayFabUser feature be disabled on the client?

6. Does PlayFab provide 2-layer security for accounts when logging in? eg verification by phone number or authetication. Because we can for some reason expose passwords or caches, others can access the account and disturb the system.

7. Does PlayFab provide individual user data recovery, user groups or entire users?

8. PlayStream Event Archive feature is currently available for AWS service. I want to use with Azure Event Hub and Data Lake to save PlayStream data for data analysis, do you have a solution to help me? Thank you very much.

Comment

People who like this

0 Show 0
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

1 Reply

· Add your reply
  • Sort: 
avatar image
Best Answer

Answer by Brendan · May 28, 2019 at 02:58 AM

Basically, you're concerned about a hacker creating fake accounts and increasing your MAU. At a base, all the calls to PlayFab are Web API endpoints, meaning we have no way of knowing whether calls are made from inside your game or not.

We've never seen a title get attacked in this manner, but if you're concerned about this, there are some things that can help (both that we already do, and that you can do):

1. All API calls are rate limited by IP Address in PlayFab, with the login (and register) calls being the most limited.

2. You can use a sign-in that requires a real account in another service. For example, if you're shipping a game on Steam, only use the Steam login.

3. You should disable all the other login calls, so that nothing else can make a player account. That's considered a Best Practice and we encourage all titles to do so. You can turn off all the Client API endpoints you're not using via the permission policies (https://blog.playfab.com/blog/permission-policies).

4. If you believe you're seeing this behavior and you're in the Pro or Enterprise tier (the only cases where it would matter, since they're the only ones that have a MAU-based fee), let us know and provide all the details you can. If we find that there's clear evidence of a hacker messing with you, we'll help however we can.

Specific to your questions:

1. and 2. See above. While we haven't seen this, if you think it's happening to you, let us know via the ticket support system.

3. Yes. Also above.

4. Not currently, and trying to do so wouldn't help much for your scenario, in any case. Anyone with even a small amount of technical skill would use things like VPNs to appear to be coming from different locations. Geo restrictions are really only effective for closed platforms like consoles - and even then, they're not 100% protected against a sophisticated attacker.

5. Yes, see above (permission policies).

6. Not currently, but feel free to "like" that in our Feature Request backlog: https://community.playfab.com/idea/11981/google-authenticator-authy-for-us-not-clients.html. But what are you referring to when you say you could "expose passwords or caches"? What are you storing that could do that? If you mean passwords stored in PlayFab, they're not stored as passwords. They're one-way crypto-hashed data, so that not even we can get the password from it. We just compare the hash of what's submitted on a sign-in to it, to see if they match. As an aside, any site that can send you your current password is storing them insecurely, and you should help them to understand that they shouldn't do that. I personally will not use any site or service that I determine stores passwords insecurely.

7. No. All data for the service is backed up in a triple-redundant manner as part of our disaster recovery plan, but it is not stored on a per-title or per-user basis.

8. The newer data store we use is Azure Data Warehouse, which you can use in conjunction with other Azure data services. That's in private preview right now, but it will be in public preview later in the summer, barring any issues. To be clear, no, we cannot re-route all your title event traffic to an Event Hub in your Azure account. But it is possible to pull data from the Azure Data Explorer link we provide to use in your own account however you like.

Comment
HDUmi

People who like this

1 Show 1 · Share
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image HDUmi · May 28, 2019 at 05:36 AM 0
Share

Hi Brenda.

Wish you a good day.

Thank you for the enthusiastic help.

I understood the problem and went on with PlayFab.

Your answer

Hint: You can notify a user about this post by typing @username

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

Navigation

Spaces
  • General Discussion
  • API and SDK Questions
  • Feature Requests
  • PlayStream
  • Bugs
  • Add-on Marketplace
  • LiveOps
  • Follow this Question

    Answers Answers and Comments

    2 People are following this question.

    avatar image avatar image

    Related Questions

    Investigating Hacks into PlayFab 1 Answer

    How to manage multiple possible accounts with multiple data? 1 Answer

    Can not select Studio in Unity EdEx 1 Answer

    Pricing questions 1 Answer

    Problem unlinking an account 1 Answer

    PlayFab

    • Multiplayer
    • LiveOps
    • Data & Analytics
    • Runs on PlayFab
    • Pricing

    Solutions

    • For Any Role

      • Engineer
      • Designer
      • Executive
      • Marketer
    • For Any Stage

      • Build
      • Improve
      • Grow
    • For Any Size

      • Solo
      • Indie
      • AAA

    Engineers

    • Documentation
    • Quickstarts
    • API Reference
    • SDKs
    • Usage Limits

    Resources

    • Forums
    • Contact us
    • Blog
    • Service Health
    • Terms of Service
    • Attribution

    Follow us

    • Facebook
    • Twitter
    • LinkedIn
    • YouTube
    • Sitemap
    • Contact Microsoft
    • Privacy & cookies
    • Terms of use
    • Trademarks
    • Safety & eco
    • About our ads
    • © Microsoft 2020
    • Anonymous
    • Sign in
    • Create
    • Ask a question
    • Create an article
    • Post an idea
    • Spaces
    • PlayStream
    • Feature Requests
    • Add-on Marketplace
    • Bugs
    • API and SDK Questions
    • General Discussion
    • LiveOps
    • Explore
    • Topics
    • Questions
    • Articles
    • Ideas
    • Users
    • Badges