Single account with multiple IP addresses detection

xml

Active member
is there an add-on for single account with multiple IP addresses detection?
I have a paid subscription forums and a subscriber might distribute his account username and password.
 

djbaxter

Well-known member
is there an add-on for single account with multiple IP addresses detection?
I have a paid subscription forums and a subscriber might distribute his account username and password.

Or he might be switching between desktop/laptop and mobile. Or he might be using a VPN sometimes. Or he might sometimes be logging in from a public location like Starbucks with his laptop.

Multiple IPs are probably the norm rather than the exception.
 

Dragonfruit

Well-known member
We see this as many users use the same mobility service. One day User-A will have IP-1, then next week User-B will have it.

You could require the subscribers to use 2FA, because that would make account sharing difficult right. Not impossible, but it adds a layer of difficulty.

This one detects users if they have more than 1 account, as opposed to 1 person sharing their account to other people: https://xenforo.com/community/resources/signup-abuse-detection-and-blocking.6812/
 

xml

Active member
Is there any professional platforms can host my content and can provide protection from username and password sharing?
 

Dragonfruit

Well-known member
Is there any professional platforms can host my content and can provide protection from username and password sharing?

No, because that's an unrealistic expectation. You have to understand how people use the Internet these days, they access content from multiple devices, and most ISP service are dynamic IPs, not static. So they can change any time. In addition to some people logging in from their place of work, or the use of VPN for their privacy.

Again, the best solution may be to force 2FA upon subscribers, because a new login will require a 2FA code that only lasts seconds, if they use the Google Authenticator.
 

gigipmc

Member
You can check how many simultaneous active sessions an account has on different devices, and allow a user a maximum of 2 concurrent active sessions (e.g. one for his browser and one for his mobile). If there's a 3rd device kicking in, it won't be allowed for say, 2 minutes (e.g. "you are currently active on 2 other devices at the moment, please wait at least 2 minutes and try again").

This way, the password sharing that you want to avoid becomes 'time sharing', meaning when one user is actively using the account, the others can't.. which will probably discourage most users from passing their account around.
 

xml

Active member
You can check how many simultaneous active sessions an account has on different devices, and allow a user a maximum of 2 concurrent active sessions (e.g. one for his browser and one for his mobile). If there's a 3rd device kicking in, it won't be allowed for say, 2 minutes (e.g. "you are currently active on 2 other devices at the moment, please wait at least 2 minutes and try again").

This way, the password sharing that you want to avoid becomes 'time sharing', meaning when one user is actively using the account, the others can't.. which will probably discourage most users from passing their account around.

That is great, how can I activate this feature? is it built in XenForo or I need third party? please give more details
 

gigipmc

Member
Thanks @Forsaken :) We've already corresponded and I will not be developing the add-on for him at this time, if another developer is interested in developing it then it will be nice to see the idea come to fruition :)
 
  • Like
Reactions: xml

digitalpoint

Well-known member
As @Dragonfruit mentioned, another option would be to force accounts to use 2FA (which is already something you could enable for the Registered user group via the Require two-step verification permission).

Along that same thought, only offer users two-step verification options that can't realistically be shared (disable the option for Verification code via app). Passkeys require physical hardware or a cloud-based account to keep the keys in sync across multiple devices (for example for iOS devices, I really doubt users would go through the trouble of sharing their Apple ID credentials, which is what would need to happen). Another option (although the add-on isn't public) would be 2FA codes being sent to their Telegram account. Also something I doubt that users would be sharing since it's tied to their phone number.

1663773445980.png

The Passkey option in particular would be good because it's also not something where user A can contact user B to have them generate the code for them. It's done via cryptology and the private key isn't exposed to the user. So the user A can't send user B the thing to internally decrypt because user A doesn't see the thing needing to be decrypted and user B doesn't have direct access to the private key needed to decrypt it anyway.
 
Top