my scenario is the following: linking devices on the same platform (e.g. Android -> Android) is not an issue, since this is covered via LinkGoogleAccount etc. Linking devices cross-platform (e.g. Android -> iOS) is not an issue either, provided that a top-level link for both platforms is supported (e.g. LinkFacebookAccount).
The scenario I'm having issues with is where such a top-level link (Facebook) is not supported, for example when linking from Steam to Android or vice-versa. I don't want to force players into registering a PlayFab account with email and password in this case. The system I'm having in mind is similar to the one Clash of Clans is using: if you want to link with an 'external' device, they create a code that is valid for 2 minutes. You enter this code on the new device, and your account is then linked to the old device successfully. There is a video showing this process here (https://www.youtube.com/watch?v=iVr70hWGv5M).
So, to implement something like this, I've thought about several techniques. First, AddUserNamePassword - as explained in this blog post (https://playfab.com/first-impressions-count-best-practices-friction-free-player-authentication/), is not a solution: device A would call AddUserNamePassword and display the password for device B. Since you can't change the password again without sending an email, the displayed credentials would be always valid i.e. never expire. There is no RemoveUserNamePassword method or way to 'unlink' this later either.
Second, a combination of CloudScript+UserInternalData+CustomID came to my mind. Device A calls ExecuteCloudScript that writes a key to the UserInternalData entry (automatically adds a timestamp value). Device A then calls LinkCustomID using a ID+Password string to create an access point for device B. Device B calls ExecuteCloudScript and checks the UserInternalData entry of the old account. If it's still within 2 minutes and the key matches, returns success and lets device B call LoginWithCustomId with the ID+Password displayed earlier on device A. After login, device B calls Link...DeviceID and UnlinkCustomId to remove the (now obsolete) previous login.
Actually, it would be a lot nicer if I would be able to let the server manage all the Link...DeviceID and UnlinkCustomID calls, but since CloudScript can't execute client API this seems like the way to go. Does that make any sense? How would you go about implementing a time-limited/secure cross-platform link system like Clash of Clans in PlayFab instead?