Hey there! I own a few SaaS companies and we have been trying to figure out ways to prevent account sharing and curious to know how you do it?
The current way: if a user is logged in, and another session is signed in the same user, the first user that was signed in is kicked from the session.
But- we are trying to fully combat it because the loop hole here is the second person simply asking if the first person is active on their session and they can still share an account. We do per user per month pricing so we find that a decent amount of people would try to pay less by just sharing an account.
Thanks in advance for your advice and insight!
Just worth noting that this would pretty much only work if the OTP is sent via SMS, no other 2FA flow would solve the issue Beit email or with a TOTP QR code or wtv