Account sharing prevention
Account sharing is one subscription used by several people, and it's the use-case framing of the Access protection fundamental.
Step 1: Set up access protection
Set up Access protection first. It's self-managed: you call evaluate.access on the client and Rupt handles detection, the challenge, owner verification, and device capping client-side. There's no server step. With that in place, the policies below are what actually catch sharing.
Step 2: Add the policies
A policy has a trigger (the event it runs on) and a verdict. Add these in your policies dashboard:
| Policy | Trigger | Conditions | Verdict |
|---|---|---|---|
| Verify the owner | access | concurrent_sessions, or impossible_travel | Challenge |
| Cap devices | access | device_count over your limit (or per-type computer_device_count / tablet_device_count / mobile_device_count) | Challenge |
Account sharing leans on devices, not fingerprints, and the goal is to convert the extra user, so point the challenge Success URL at signup. The device-cap challenge logs the extra devices out. Tune conservatively: a false sharing accusation is costly, so start loose and tighten only if you need to.
Related
- Need help? Contact support.
- Want to see Rupt in action? Request a demo.
- Questions? Talk to sales.
- Check out our changelog.
- Check our status page.
- LLM? Read llms.txt.