Is there a way to limit the number of devices a user can log in from for their account at the same time?
Thanks.
Natively no.
With a reverse proxy, probably yes. You could identify the discrete logins by the http-only token, and loosely track the sessions in a KV store.
The bigger challenge would be identifying logout events so you could terminate those “device sessions”. That would require a tighter integration with Webflow’s auth servers, or else gating every request, tracking expired tokens and suppressing them.
Actually pretty sure that last part is possible, I did something similar at the account level so that a client intranet could lock out users / clients immediately at the account level, even though the webflow user accounts (WUA) access token doesn’t actually expire for 3 days ( even if you delete the user’s account ).
If you’re needing that level of security, WUA probably isn’t the framework you want.
1 Like
Interesting information! thanks
The main goal is to prevent users from sharing paid accounts to access restricted content.
hi @anthonychan2509 there is no reliable solution for this. Why?
When you decide to use Multi Factor Authentication sending random digits they can be also shared once are received.
If the user decide to share login data, they can share it many ways even you will set many restrictions on these data.
If you decide to limit access to certain IP addresses, country or add sensitive informations like Credit card number, address or what ever, all these restriction and limitation will have negative impact on “average” user.
Simply ask them not to do that.
1 Like
I agree with Stan.
I spent a bit of time mapping this out to see what’s possible, because it’s a pretty cool feature idea. Most of the pieces can be build on top of WUA - tracking devices used in the login, maintaining an authorized devices list, blocking logins on unauthorized devices when you’ve exceeded you device count.
The central issue is that a device-limited system really only works for permanent sign-ons, like Netflix and Spotify, and Webflow doesn’t offer that.
Think about the point where a user is limited to 3 devices, and tries to login on a 4th. All you can do is challenge the user with a “too many devices” error, and the ability to remove another authorized device so they can add this one. Without permanent sign-on, that’s barely an inconvenience.
I might experiment with some heuristics, like too many different IPs on new devices, or use GeoIP to try to identify abused/shared logins if the geo range is too large. But this is a lot of infrastructure to build for a simple deterrent.
If you’re really worried about this, I think a better approach would be to use a platform that allows usage-based billing, so that e.g. each video watched costs a bit. Then you really don’t care about account sharing.
1 Like
this is an old discussion with slightly different topic related to students, but the user who would like to share his/her credentials to get full access to all theirs personal data will be intelligence shy.
The standard protection to access data are done with Authentication so user has to be logged to access page. But when someone will share login credentials … ???