How to limit user to login to just one or two devices at a time?

Interesting use-case :clap:
Here’s a solution among many others, using our plugin Fingerprint



Try it by yourself


1. Detect the current user’s device fingerprint

Start by detecting the current user’s device fingerprint ID when the page is loaded.
Depending on your use case and where the regulation should apply, you may have to introduce it on every page of your app, to do so we use a reusable element that we will add on these pages or in the header.

Creating the reusable element:


2. Set the device that loads the page as the current device

Inside the reusable element, we save the user’s device fingerprint ID when it’s ready as the Device ID - Current

If the previously saved and authorized device is not the current device and depending on how many simultaneous devices you want to authorize, we then move the old device(s) to a Device IDs - Closed sessions

The Device ID - Current field helps us to differentiate the current device from the authorized device

The Device IDs - Closed sessions will help to determine which device is “the new one” later on when the user connects from a new device. Otherwise it will trigger the security on page load, even from a new device.

The if statement avoids unnecessary operations on the database and avoids kicking the user out by adding it to the Device IDs - Closed sessions list

3. Kick the other devices if added to the Closed sessions list

If the current device suddenly appears to be in the Device IDs - Closed sessions list, this means the user connected from another device and triggered the workflow from the step above.

Therefore, we want to block access to the user, and then remove ourselves from the list.

Keep in mind that a popup can easily be removed using the inspect element tool from the browsers. Therefore, it shouldn’t be the only security layer for sensitive apps.
A more secure option would be to make the entire page/groups invisible.

4. Restore access

To give the user access to the app again, you only need to refresh the page so the other devices will be kicked out from the step 2 workflow.

Advanced: In step 2 we also want to remove the current device from the Closed session list to avoid showing the alert if the user didn’t click the reset button (example)

Hope that helps! :upside_down_face:

1 Like