Custom Login ID Security

Question

question

Joss asked Feb 24, '23

Custom Login ID Security

We are developing an app for the quest 2 and are considering what ID to use for the PlayFab login. We want the PlayFab account to be tied to the Oculus/Meta account so that the user could log in on a different device and still be able to access their in-game data. The easiest way would be to directly use the user's Oculus ID as the PlayFab login ID but we are not sure how easy this would be for a hacker to obtain.

My question is, if a hacker were to find out a user's PlayFab login ID, to what extent could the hacker affect that user's account? We are planning on setting up PlayFab so that most, if not all, of the player's data can only be changed by the server itself and is read only client side. However, we are still concerned that they would be able to "spoof" the user and make the same server requests that the user might in order to make changes to the data.

Thank you for your help!

Player Data

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2023-02-27T05:48:30Z

Xiao Zha answered Feb 27, '23

If the Custom Login ID you mean the CustomID in LoginWithCustomID API, since it’s just a string and any single string identity for the login is not good for safety, so we recommend other login methods, such as: Email + password. And If you use the Custom ID, for anyone who can get you customId can do the same thing as the user do, including "spoof" the user and make the same server requests that the user might in order to make changes to the data. In addition, login with custom id is used in silent login, which have a premise of having comparatively safe environment, and it only helps improving the gaming/login experience of players instead of ensuring safely.

10 |1200

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question