DeviceID will be used only for guest accounts. After the player link the recoverable login:
- Unlink the DeviceID
- Generate GUID in CloudScript and saved to the Internal Player Data
- Link this GUID on the client and save the GUID in local storage as encrypted string (LinkAndroidDeviceID)
- Add a "log out on all devices" button in the game that will reset the GUID
I do not want to link DeviceID on Android devices because then another person can access the account (if the player sells their phone or temporarily grants access to their account). Players have reported similar cases.
GUID will be a permanent login token until reset. If the scammer somehow gets the GUID then he can use it to steal the account. With DeviceID the same problem. But the GUID can be reset if there are suspicions that someone is playing on your account.
Or is it best to use ONLY a recoverable login? For example, if a player has linked GooglePlay account, then unlink DeviceID and do not use LoginWithAndroidDeviceID?