hapygames avatar image
hapygames asked

I guess I have an idea how to prevent users from hacking but is there a way to prevent users from registering, more than once, on the same device?

With the question, I mean to ask if there is a possibility to prevent a Player from having more than 1 Account (to log in with), on the same Device.

I thought this through and like this, preventing someone from hacking, is a lot better.

For example:

Let´s say someone hacks with his created Account, my Game or App.

His/Her Account could be banned but then he/she would just need to create a new one, with any random inputs (E-Mail, Password, Username etc.), and that person would still be able to hack the App/Game.

But if there was a detection to check, if someone on a Device tries to register with more than 1 Account, on that one Device, hacking would be basically nearly impossible at this point.

Actually it would make hacking impossible, because normally you ban the Account of the Player (either through code (scripting) or manually on the PlayFab developer page) and if the Player/User of the App/Game would not be able to create any second Account or more, it would be a big step for Developers to protect their Game.

If this is not a feature yet, maybe it could become one?

Account ManagementAuthentication
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

brendan avatar image
brendan answered

While it would be nice to be able to block hackers entirely, what you're describing isn't actually possible (though you can prevent it as much as possible with service-verified accounts - more on this below). There are a few different login systems available:

1. As you say, username/password or even email/password systems allow the user to create as many logins as they like.

2. Any non-service-verified login system, like any of the ID-based logins (device ID, custom ID) can simply be spoofed with another ID using a modified client. It's not possible to validate that ID, nor is it possible to prevent a hacked client from putting whatever it wants in that ID.

3. Service-verified accounts (all the consoles, Twitch, Google, as well as Open ID Connect auth) are backed by an identity authority that we make service-to-service calls to, in order to validate the identity of the user. These are reliably unique and cannot be spoofed, though depending on the provider, it may be possible for the user to create more than one account in their system.

So, if you require that the player sign in with a service-verified account, you can at least make sure that the hacker has to create multiple valid accounts with that service in order to have more than one PlayFab account. You can turn off all the other login API methods using the API permission policy (

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.