question

David Fielder avatar image
David Fielder asked

,Email Login, customID, best practice

I am developing a PC VR game ( with plans to port it to Oculus ( which is Android ) ). using PlayFab and Photon for the authentication, game services and real-time networking. I'm using the demo scene PlayFabSignIn . I was initially stumped when trying to create two accounts, but realized that deviceID was being used as the customID, and hence I was getting a "user already exists" error. I do not want to the account strictly tied to the device, as multiple users may use the same device to create an account (e.g. different family members ).


Side note, the GUI in the demo is somewhat misleading since it is asking for a user name, but really what it wants is an email address. This was my initial point of confusion when the error says that the user already exists ( was duplicate customID/deviceID, not duplicate email address )


So the question is, what would be the best practice for assigning a customID other than device ID? My initial thought is to use a large random number/string for the initial account creation. The odds of a collision will be rare at best, and worst case, the user simply tries again and gets a unique ID the next time.


Would this be a good approach from a security point of view? If not, what would be a better way of generating the custom ID?

,

I am developing a PC VR game ( with plans to port it to Oculus ( which is Android ) ). using PlayFab and Photon for the authentication, game services and real-time networking. I'm using the demo scene PlayFabSignIn . I was initially stumped when trying to create two accounts, but realized that deviceID was being used as the customID, and hence I was getting a "user already exists" error. I do not want to the account strictly tied to the device, as multiple users may use the same device to create an account (e.g. different family members ).

Side note, the GUI in the demo is somewhat misleading since it is asking for a user name, but really what it wants is an email address. This was my initial point of confusion when the error says that the user already exists ( was duplicate customID/deviceID, not duplicate email address )


So the question is, what would be the best practice for assigning a customID other than device ID? My initial thought is to use a random number/string for the initial account creation. The odds of a collision will be rate at best, and worst case, the user simply tries again and gets a unique ID the next time.

Would this be a good approach from a security point of view? If not, what would be a better way of assigning a unique customID without using device ID?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image
Seth Du answered

In terms of the scenario you have mentioned, it is better to append random length string to the device ID string as custom ID.

However, the Custom ID, along with LoginWithCustomID API, is for silent login. Usually we will recommend to use Login with device ID related API instead, where more information can be contained for the authentication, you can also append random generated string at the end of the real device ID so that multiple accounts can exist in the same device.

After the first successful login, we may suggest the user to add username/password or email/password match as a recoverable login identity.

Please also refer to the official tutorial on: https://docs.microsoft.com/en-us/gaming/playfab/features/authentication/login/login-basics-best-practices.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Fielder avatar image
David Fielder answered

@SethDu Thank you very much for your reply. Indeed, I am following up the initial silent login with

LoginWithEmailAddress() as per the demo scene. It does makes sense to start with the device ID. I see that it is easy to search for all users with that device ID in the back end.

I noticed that your need a hyphen or other non-alpha numeric character before the random portion to properly search for it in the back end. e.g. [device-id]-[random_string], I can enter [device-ID] and it will find all accounts with that device ID, but not if [device-id][random_string]. Anyhoo, just mentioning that as a point of interest.

I'm considering using the email address instead of a random string instead, so it's 100% deterministic. From a security point of view, is there any harm in leaving the email address as is, or should it be encrypted/hashed?

e.g. [Device-ID]-[foo@you.com] vs.[Device-ID]-[Encoded-Email]

This of course would be the email address used when initially creating the account and it won't change if the user decides to change their email at a later time.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Seth Du avatar image Seth Du ♦ commented ·

I think encrypted/hashed will be slightly better, though the safety would be the very similar.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.