Keeping Users from Sharing Login Information

Q: I’m building an app that has a monthly fee per user. Users can login via an email and password. I am trying to keep users from sharing a license with other people simply by giving them their username and password. Can AuthRocket help manage this?


A: AuthRocket provides a number of building blocks that can help you build the solution you need.

I would suggest starting by using our Managed Sessions to track all active sessions. This makes it easy to revoke/logout any existing sessions.

Second, every authentication attempt in our service has the ability to track the IP and client info for the user. These also become available as part of the user’s login event history. Using this data, you can see patterns that suggest unauthorized sharing.

For web sessions, we recommend using the full User-Agent header for the client info, as people frequently have subtle differences in their User-Agent strings. For iOS or Android sessions, at login you could simply choose to auto-expire any/all pre-existing mobile sessions other than the newest one, limiting it to one iOS and/or one Android session at a time. Or, include extra data to track things like iPhone and iPad separately, allowing one of each. You might even be able to send the device’s unique advertising ID to get a clearer picture.

Lastly, by default each user is allowed a total of 10 sessions (shared across browsers, mobile apps, etc). We can lower that if needed (it’s an account-wide setting).

Tagged with: password sharing managed sessions

Questions? Find a Typo? Get in touch.