Single account with multiple IP addresses detection
- Thread starter xml
- Start date
Dragonfruit
Well-known member
We see this as many users use the same mobility service. One day User-A will have IP-1, then next week User-B will have it.
You could require the subscribers to use 2FA, because that would make account sharing difficult right. Not impossible, but it adds a layer of difficulty.
This one detects users if they have more than 1 account, as opposed to 1 person sharing their account to other people: https://xenforo.com/community/resources/signup-abuse-detection-and-blocking.6812/
You could require the subscribers to use 2FA, because that would make account sharing difficult right. Not impossible, but it adds a layer of difficulty.
This one detects users if they have more than 1 account, as opposed to 1 person sharing their account to other people: https://xenforo.com/community/resources/signup-abuse-detection-and-blocking.6812/
Dragonfruit
Well-known member
No, because that's an unrealistic expectation. You have to understand how people use the Internet these days, they access content from multiple devices, and most ISP service are dynamic IPs, not static. So they can change any time. In addition to some people logging in from their place of work, or the use of VPN for their privacy.
Again, the best solution may be to force 2FA upon subscribers, because a new login will require a 2FA code that only lasts seconds, if they use the Google Authenticator.
gigipmc
Active member
You can check how many simultaneous active sessions an account has on different devices, and allow a user a maximum of 2 concurrent active sessions (e.g. one for his browser and one for his mobile). If there's a 3rd device kicking in, it won't be allowed for say, 2 minutes (e.g. "you are currently active on 2 other devices at the moment, please wait at least 2 minutes and try again").
This way, the password sharing that you want to avoid becomes 'time sharing', meaning when one user is actively using the account, the others can't.. which will probably discourage most users from passing their account around.
This way, the password sharing that you want to avoid becomes 'time sharing', meaning when one user is actively using the account, the others can't.. which will probably discourage most users from passing their account around.
xml
Active member
That is great, how can I activate this feature? is it built in XenForo or I need third party? please give more details
xml
Active member
Many admins will buy this add-on if someone provide it with reasonable price
Forsaken
Well-known member
@gigipmc does great work, or see if @DragonByte Tech will add it to the Security add-on.
We've already corresponded and I will not be developing the add-on for him at this time, if another developer is interested in developing it then it will be nice to see the idea come to fruition 
digitalpoint
Well-known member
As @Dragonfruit mentioned, another option would be to force accounts to use 2FA (which is already something you could enable for the Registered user group via the
Along that same thought, only offer users two-step verification options that can't realistically be shared (disable the option for
The Passkey option in particular would be good because it's also not something where user A can contact user B to have them generate the code for them. It's done via cryptology and the private key isn't exposed to the user. So the user A can't send user B the thing to internally decrypt because user A doesn't see the thing needing to be decrypted and user B doesn't have direct access to the private key needed to decrypt it anyway.
Require two-step verification permission).Along that same thought, only offer users two-step verification options that can't realistically be shared (disable the option for
Verification code via app). Passkeys require physical hardware or a cloud-based account to keep the keys in sync across multiple devices (for example for iOS devices, I really doubt users would go through the trouble of sharing their Apple ID credentials, which is what would need to happen). Another option (although the add-on isn't public) would be 2FA codes being sent to their Telegram account. Also something I doubt that users would be sharing since it's tied to their phone number.The Passkey option in particular would be good because it's also not something where user A can contact user B to have them generate the code for them. It's done via cryptology and the private key isn't exposed to the user. So the user A can't send user B the thing to internally decrypt because user A doesn't see the thing needing to be decrypted and user B doesn't have direct access to the private key needed to decrypt it anyway.
fionix
Well-known member
how can you force a certain usergroup to use 2FA is there an automatic process that would trigger to send out to that usergroup they have to enable it ?
fionix
Well-known member
how would you do that, and hint to what ADD on to install or where to find it in XF ?
gigipmc
Active member
You can activate it in the group permissions ("Require two-step verification" in General Permissions).
It needs to be custom programmed.
fionix
Well-known member
Why isn't @DragonByte Tech or you are going to either put it in the current Security package which I bought or you are doing the ADD, I believe it isn't a huge project for a programmer like you.
I'm willing to pay you $200 for an add on that works like you described it. You may sell it afterwards too I don't care.
I'm willing to pay you $200 for an add on that works like you described it. You may sell it afterwards too I don't care.
Dragonfruit
Well-known member
On the user group permissions, set “Require two-step verification” to Yes.
