How to limit user to login to just one or two devices at a time?

Interesting use-case :clap:
Here’s a solution among many others, using our plugin Fingerprint

https://plugbee.dev/plugin/fingerprint


Preview

ezgif-2-8e408a5a77


Try it by yourself

LINK DEMO LINK EDITOR


1. Detect the current user’s device fingerprint

Start by detecting the current user’s device fingerprint ID when the page is loaded.
Depending on your use case and where the regulation should apply, you may have to introduce it on every page of your app, to do so we use a reusable element that we will add on these pages or in the header.

Creating the reusable element:

image


2. Set the device that loads the page as the current device

Inside the reusable element, we save the user’s device fingerprint ID when it’s ready as the Device ID - Current

If the previously saved and authorized device is not the current device and depending on how many simultaneous devices you want to authorize, we then move the old device(s) to a Device IDs - Closed sessions

:information_source:
The Device ID - Current field helps us to differentiate the current device from the authorized device

:information_source:
The Device IDs - Closed sessions will help to determine which device is “the new one” later on when the user connects from a new device. Otherwise it will trigger the security on page load, even from a new device.

:information_source:
The if statement avoids unnecessary operations on the database and avoids kicking the user out by adding it to the Device IDs - Closed sessions list


3. Kick the other devices if added to the Closed sessions list

If the current device suddenly appears to be in the Device IDs - Closed sessions list, this means the user connected from another device and triggered the workflow from the step above.

Therefore, we want to block access to the user, and then remove ourselves from the list.

:exclamation:
Keep in mind that a popup can easily be removed using the inspect element tool from the browsers. Therefore, it shouldn’t be the only security layer for sensitive apps.
A more secure option would be to make the entire page/groups invisible.


4. Restore access

To give the user access to the app again, you only need to refresh the page so the other devices will be kicked out from the step 2 workflow.

Advanced: In step 2 we also want to remove the current device from the Closed session list to avoid showing the alert if the user didn’t click the reset button (example)


Hope that helps! :upside_down_face:
Victor

1 Like