Hey there! I own a few SaaS companies and we have been trying to figure out ways to prevent account sharing and curious to know how you do it?
The current way: if a user is logged in, and another session is signed in the same user, the first user that was signed in is kicked from the session.
But- we are trying to fully combat it because the loop hole here is the second person simply asking if the first person is active on their session and they can still share an account. We do per user per month pricing so we find that a decent amount of people would try to pay less by just sharing an account.
Thanks in advance for your advice and insight!
You could require 2FA to login, and then the folks sharing accounts would need to be in the same location. Solves the problem for new users going forward but wouldn’t necessarily solve it for our users that are already logged in.
More importantly, is this really that big of an issue? In other words, is this even a problem worth solving because you’re missing out on so much additional revenue, or is this a once in a blue moon type of problem?
I have to agree with this. Sounds like a trivial issue right now, you should be spending this time for getting more new customers instead of trying to convert people into from the rare few customers that are gaming the system. This is even assuming they would convert to paying customers instead of just stop using your product.
Just worth noting that this would pretty much only work if the OTP is sent via SMS, no other 2FA flow would solve the issue Beit email or with a TOTP QR code or wtv
If this is widespread, it may be time to change your pricing model, like instead of per-user than some other measure like number of projects set up or whatever is a usage-based appropriate measure.
You might be right here. Something that can’t be looped-holed. Thanks for the advice!!