question

Basically, you're concerned about a hacker creating fake accounts and increasing your MAU. At a base, all the calls to PlayFab are Web API endpoints, meaning we have no way of knowing whether calls are made from inside your game or not.

We've never seen a title get attacked in this manner, but if you're concerned about this, there are some things that can help (both that we already do, and that you can do):

1. All API calls are rate limited by IP Address in PlayFab, with the login (and register) calls being the most limited.

2. You can use a sign-in that requires a real account in another service. For example, if you're shipping a game on Steam, only use the Steam login.

3. You should disable all the other login calls, so that nothing else can make a player account. That's considered a Best Practice and we encourage all titles to do so. You can turn off all the Client API endpoints you're not using via the permission policies (https://blog.playfab.com/blog/permission-policies).

4. If you believe you're seeing this behavior and you're in the Pro or Enterprise tier (the only cases where it would matter, since they're the only ones that have a MAU-based fee), let us know and provide all the details you can. If we find that there's clear evidence of a hacker messing with you, we'll help however we can.

Specific to your questions:

1. and 2. See above. While we haven't seen this, if you think it's happening to you, let us know via the ticket support system.

3. Yes. Also above.

4. Not currently, and trying to do so wouldn't help much for your scenario, in any case. Anyone with even a small amount of technical skill would use things like VPNs to appear to be coming from different locations. Geo restrictions are really only effective for closed platforms like consoles - and even then, they're not 100% protected against a sophisticated attacker.

5. Yes, see above (permission policies).

6. Not currently, but feel free to "like" that in our Feature Request backlog: https://community.playfab.com/idea/11981/google-authenticator-authy-for-us-not-clients.html. But what are you referring to when you say you could "expose passwords or caches"? What are you storing that could do that? If you mean passwords stored in PlayFab, they're not stored as passwords. They're one-way crypto-hashed data, so that not even we can get the password from it. We just compare the hash of what's submitted on a sign-in to it, to see if they match. As an aside, any site that can send you your current password is storing them insecurely, and you should help them to understand that they shouldn't do that. I personally will not use any site or service that I determine stores passwords insecurely.

7. No. All data for the service is backed up in a triple-redundant manner as part of our disaster recovery plan, but it is not stored on a per-title or per-user basis.

8. The newer data store we use is Azure Data Warehouse, which you can use in conjunction with other Azure data services. That's in private preview right now, but it will be in public preview later in the summer, barring any issues. To be clear, no, we cannot re-route all your title event traffic to an Event Hub in your Azure account. But it is possible to pull data from the Azure Data Explorer link we provide to use in your own account however you like.