Is it possible to limit the number of devices a user can login with?



  • I thought using fingerprint.js to track the devices and store it in the registration on each login, but since external libraries can't be imported into lambdas (right?), I can't imagine another solution from the FusionAuth part.

    I know it could be possible to implement in the app side, but I have no access to that code because it's an external service provider.



  • Hi @joseantonio!

    Are you referring to the idea of what type of devices or the sheer number of devices? If you could offer a little more context for your use case, that might be helpful.

    Thanks,
    Josh



  • Hi @joshua, thank you for the quick reply!

    Indeed, the idea is to limit the number of different devices an account can login from, so account credentials sharing isn't allowed.

    For example, if the limit is 2, a user could authenticate from his/her Phone1 and Desktop2, but won't be able to authenticate from any new device (Phone, Desktop, etc.).

    On the other hand, if you think there is already another way to prevent account sharing, that could be another solution too.

    Thank you in advance!

    Jose.



  • Hi @joseantonio,

    Let me see if I understand you accurately. Are you referencing the same problem space Nextflix is trying to address with account sharing? External article here.

    You could consider employing two-factor authentication. This is something currently offered through our API (with additional features in development for paid customers). With two-factor/multifactor auth, if you have a legitimate user who is "over-sharing" their account their "illegitimate partner-in-crime" will be denied access when they face a 2FA/MFA challenge (such as an SMS pushed code to a phone that they don't own, for instance).

    Some other helpful threads:

    https://fusionauth.io/community/forum/topic/567/multiple-active-sessions-from-multiple-devices
    Specifically, this thread mentions

    There are many potential types of limits that could be put in place, such as limiting by IP, device, geographic location, session count, etc that these types of limits may be best solved by a Web Application Firewall (WAF) or some other specialized network security product.

    Based on this thread, it sounds like another avenue to consider would be setting up a WAF and the appropriate rules to enforce the behavior you are seeking (restrict by IP, number of devices, etc).

    I hope this helps!

    Thanks,
    Josh



  • Hi @joshua,

    Yeah, it's pretty much the same issue Netflix faces. However, in this case 2FA would be too annoying for our users, and doesn't make enough sense I think.

    Indeed WAF is a good idea, I've been looking at some solutions like AWS WAF, but seems pretty complex at first.

    The ideal solution would be FA being able to handle this. I imagine it would store the device fingerprint (using fingerprint.js for example) in the user data / registration data, and then check the count against a limit set in the tenant/application settings on every login. Is this something FA can develop as a paid request?

    Another solution would be allowing Lambdas to import external js libraries, or even make API calls would do the trick. Then anyone could implement the limitation by their own.

    Let me know our thoughts about any of this options and/or new ideas!

    And thank you for the amazing support job!



  • @joseantonio

    I will pass along your thoughts to our Development Team and let you know if I hear of any other workarounds. But please also feel empowered to log an issue (you can even reference this post) and potentially add this to our roadmap. Much of the development of FusionAuth as a product is driven by the community and their needs.

    Yes, it is true that AWS and WAF rules can be intimidating at first, but they can also be very powerful and extensible depending on your use case. As with anything, the tradeoff is between ease of use and flexibility/integration potential 🙂

    Thanks for the great feedback!

    Josh



  • @joseantonio

    I was speaking with our Development Team and there is another way to approach this.

    You have the option to poll the number of sessions for each user using the API and then delete more than X sessions. Documentation here

    Or you could write a webhook to check the number of sessions on login.

    I hope that helps!

    Thanks,
    Josh


Log in to reply
 

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.