kabumere avatar image
kabumere asked

Best practice for caching a previously authenticated user?

So I've implemented logging in with Facebook as well as logging in with Android ID as well as custom ID for iOS and PCs for my Unity game. However as of right now even if you logged in before, I still make the user click to either use Facebook or their Device on each subsequent login/authentication.

What is the best way, or recommended practice, for caching/saving a user's last preferred method of authentication, and auto logging them in next time?

Right now I'm thinking of just using Unity's PlayerPrefs in a manner such as:

1) User enters app. Checks if PlayerPrefs.HasKey("AuthMethod") is true.
2) If false, let user choose a login/authentication method.
3) If they choose Facebook and successfully login, set PlayerPrefs.SetString("AuthMethod", "Facebook") and PlayerPrefs.SetString("Key", "insertAccessTokenFromFacebookHere").
4) If they choose iOS Device and successfully login, set PlayerPrefs.SetString("AuthMethod", "iOS Device") and PlayerPrefs.SetString("Key", "insertCustomIDHereHere").
5) If they choose Android Device and successfully login, set PlayerPrefs.SetString("AuthMethod", "Android Device") and PlayerPrefs.SetString("Key", "insertAndroidIDHereHere").
6) Now the next time they login, PlayerPrefs.HasKey("AuthMethod") should be true. So I'll see what its value is, and log user into that account using the appropriate PlayFab API call for it. If it's successful, user proceeds to app. If it returns an error, the key probably expired (should only happen with the Facebook Access Token in my example, right? Custom/Android ID should never expire), so I'll make them re-choose a login method as if it were their first time in the app.

Is this a good flow? Are people's Custom IDs / Android IDs / Facebook Access Tokens private, as in having them visible could leak personal info? Because I hear PlayerPrefs is saved in a plain text file. I could encrypt values before I save to PlayerPrefs, but I'd prefer to avoid that overhead if IDs and Access Tokens don't leak information.

Or if this is not a good workflow for entry into the app, please give me some ideas! Thank you.

apisAccount ManagementAuthentication
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image
brendan answered

Our main recommendations on best practices for authentication are in our blog post on this subject:

In general, you want to keep the friction of sign-in as minimal as possible. Device ID sign in is good for this, as is any service where you know the player has to have signed in to be able to play, as with Steam games and Facebook Canvas titles. You need to balance that against the need for an authentication you can use cross-platform/device, so that you can get the player to the same account consistently. And finally, you need to be aware of when you need to have a valid current service token for service-specific functionality (we can't get the player's Facebook friends if we don't have a recent Facebook token for the player).

In terms of saving information locally on the login system to use, that's definitely worth doing, but it's also important to plan for the case where a player is signing in from a new device, as with a changed phone (or similar circumstance). As far as PII is concerned, it's best to talk to your own legal counsel. In general, if the thing being saved does not provide access to private information about the user, you should be fine.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

kabumere avatar image kabumere commented ·

Hey Brendan.

I followed this advice months ago and went frictionless for initial account set up using the player's current device. Since I'm making my game cross platform (iOS, Android and Desktop) in a sense, I want people to be able to access their entire game account from mobile or desktop so I decided to also include linking a PlayFab account functionality.

Some scenarios/questions I was confused on however:

User plays for first time on Android and gets an account created automatically using that device. User also downloads and plays Desktop version getting yet another account created using the PC (w/ LoginWithCustomID). User now opens the Android app and adds a user/pass. Now the Android device and PlayFab account are linked.

1) At this point, the user can't link any other devices to the PlayFab account right (not desktop nor iOS)? Only one device linked to a PlayFab account?

2) If the user unlinks the Android, then chooses to link the desktop to the PlayFab account, the next time they login with the Android, will the account reflect the PlayFab account at the point it was unlinked, or will the Android account be what it was way back when it was first added to the PlayFab account?

0 Likes 0 ·
brendan avatar image brendan kabumere commented ·

1) Actually, the user can link any other devices he or she wants to. There isn't a limit on that. We do have an issue currently that for each device type, only the most recently linked is shown in the game manager and User Account Info results, but the user can indeed have multiple iOS and Android devices linked.

2) In your example, you've created two distinct PlayFab accounts: First, you created one from the Android device, then you created one from the PC. If you unlink the first account and link to the second, then the second is the one you have access to.

0 Likes 0 ·
kabumere avatar image kabumere commented ·

3) If a user has already started an account on mobile and an account on desktop before they realize they want to have one account for all platforms, is there a method for merging multiple accounts into a single PlayFab account, or will the user have to choose which account they currently like the most in terms of progress made, then choose that account to add the username/password to, then go on the 2nd device and login with playfab (and thus losing any progress made on that 2nd device)?

0 Likes 0 ·
brendan avatar image brendan kabumere commented ·

You could do this either way. It's easier to have the player pick one account and just use it, but you could sign the player into both accounts, read data from the one you're going to "abandon" and merge that data into the one you're going to keep.

0 Likes 0 ·
ryanbernstein avatar image ryanbernstein brendan commented ·

Sorry to bump an old thread but is there a good way to handle this process? How do I "sign the player into both accounts"?

0 Likes 0 ·
Show more comments
kabumere avatar image kabumere commented ·

In response to your reply to number 2, how is that situation creating 2 distinct playfab accounts? If a user first creates the PlayFab account on their android device, that's 1 PF account so far right? Then they unlink the android device and get on desktop and link the pc. So wouldn't it still be 1 PF account, except now the desktop is linked to it, not the android?

Also, if multiple devices can be linked to an account, how do we let the player choose which to use when they login? So they a user linked 1 ios, 1 android and 1 pc to a single playfab account. When they log in through the PC with PF, is it possible to show them all 3 devices (and stats and so on) that are linked to the account so they can choose which to load up, or will they automatically be returned the stats for the PC device in that scenario?

0 Likes 0 ·
kabumere avatar image kabumere kabumere commented ·

Having multiple devices linked to a single account seems like it could get messy quickly tho. Is there a guide on how I'd only allow 1 device of any type to be linked to a PF account?

I want it so a user can start playing on say android for the first time, and have an account created using the android device. Then they add a username and password to that android (now creating a playfab account). Now whenever they play on ios or desktop and they sign into the PF account, they only are able to use the stats and profile from the android device- if they want a new PF account for the the ios or desktop specific stats, they have to create new unique PF accounts for them, they cant link them to the PF account that holds the android stats.

I'm thinking to accomplish this I should create two buttons, Link to New account and Login with Existing. Link to New let's users add a new user/email/pass with the current device (creating a new playfab login), whereas login with existing will pull down the stats associated with the existing account (essentially hiding the device specific stats until you log out of the PF account).

Does this seem correct to you to allow only the desired functionality?

0 Likes 0 ·
brendan avatar image brendan kabumere commented ·

The user flow you described above was that you created an account on the Android device, then created an account from the PC. That's what I mean by two accounts.

Your follow-up is correct - and you may want to review this post: In short, the user experience should be to let players either jump straight into gameplay (creating a new account) or log into an existing account, so that they have an easy way to get back to their saved game (started on another device). You then link that new device (or create a CustomId and save it locally, as in the PC case) so that you can always sign back into it easily, without having to ask the player for more info. And, in the case where they wind up with two (or more) accounts, you can present them with the choice of which to keep, and then unlink from the one they're getting rid of in order to link to the one they're keeping.

0 Likes 0 ·
Will Iverson avatar image
Will Iverson answered

Hi - I'm using the Java SDK, and it looks like changing the _authKey in the PlayFabClientAPI to public and manually setting that will allow for seamlessly restoring a session, assuming that I do a round-trip to the PlayFab server. Is that right, or am I doing a Bad Thing(tm)?

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image brendan commented ·

In short, the Session Ticket you get from PlayFab on a user sign-in is good for 24 hours, currently. You should always check for errors on any API call and handle them appropriately, signing the player back in as needed, but basically, if you have a Ticket, then yes, however you want to re-use it on the local client is fine.

1 Like 1 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.