What is Account Sharing?

Sharing account credentials is a common practice among users, particularly as the costs of services continue to rise. It usually starts with a family member or friend sharing access to a streaming service or other subscription by sharing their password. However, what may seem like an innocent act can have serious consequences, such as exposing personal data or unauthorized access to user accounts by malicious actors as the accounts get passed around.

This can also lead to reduced revenue for businesses due to shared subscriptions, which we discuss in detail in our ultimate guide to account sharing. Experts estimate that the revenue lost due to password sharing will reach $12.5 billion by 2024, making it a top priority for many businesses.

Why is Account Sharing Prevention Important?

Measuring and understanding user behavior related to account sharing is incredibly important for most businesses. There are several reasons why, including:

Lost Revenue

Account sharing can cause substantial revenue losses for businesses, particularly those operating on a subscription-based model like Disney+ or Spotify. For example, according to a study by CordCutting, streaming services lose hundreds of millions of dollars yearly due to password sharing.

Inaccurate or Reduced User Metrics

Account sharing undermines the accuracy of user data, making it challenging to comprehend user behavior, preferences, and usage patterns. This unreliable data can misguide businesses, leading to uninformed decisions.

Increased Security Risk for Users

The more people with access to a single account, the greater the risk of a security breach. It is not uncommon for credentials shared with friends or family to end up in the hands of malicious individuals.

Account Ownership Claims

Determining the account's rightful owner can become complex in account sharing situations, particularly in disputes or fraud. This can result in challenges for customer service and legal complications that require both time and resources to resolve.

How to Increase Revenue by Identifying & Preventing Account Sharing

Fingerprint Pro’s Visitor Identification provides a unique identifier for every visitor to your website. This identifier is collected behind the scenes whenever someone performs a specific action with our JavaScript fingerprinting agent installed. To ensure data integrity, Fingerprint Pro also offers tools to validate these identifiers sent by your front end. Using these features can protect your business and easily detect account sharing users.

Since you know your product and business landscape best, it is up to you to configure account-sharing prevention workflows using the visitor ID to detect account sharing on your website. Below, we provide some steps and best practices that can serve as a starting point for your custom solution.

Policy Formulation

Establish a clear policy regarding account sharing and the maximum number of devices or browsers allowed per account within a specific time. If applicable, also specify the maximum number of devices or browsers allowed to be used concurrently. This policy should be communicated to users during signup and within the Terms of Service.

Device and Browser Registration

Collect and store the visitor ID alongside account information to register devices or browsers upon login. Additionally, you could allow users to register and manage a limited list of trusted devices/browsers through their account settings.

Monitoring and Analytics

Continuously monitor and analyze login patterns to identify unusual behavior, such as multiple logins from different devices or browsers in a short period or simultaneous logins from geographically dispersed locations.

Take Action

If an account exceeds the set threshold, take appropriate actions based on your policy. This may include sending alerts to the user, flagging the account, or imposing temporary restrictions such as limiting access to the account.

Configuring Fingerprint Pro for Account Sharing Prevention

To use Fingerprint Pro’s Visitor Identification effectively to prevent account sharing, you should configure logic that uses the visitor ID, timestamped data, and the credentials a user provides. Considering the logic used to determine account sharing and the actions that should be taken when a visitor is flagged is crucial.

Suspicious Account Activity Logic

We recommend that when a visitor logs in, the visitorId and requestId are sent to your application server, where they persist in the storage layer. Using this data, you can compare the current visitorId and credential pairing to previous account access to detect account sharing. Here are some recommended logic rules for detecting and preventing account sharing:

First, add the Fingerprint Pro JavaScript agent to your webpage. Alternatively, if your front end uses modern frameworks such as React.js or Angular, you can use one of our libraries instead.

// Initialize the agent.
const fpPromise = import("https://fpjscdn.net/v3/<your-public-api-key>").then(
  (FingerprintJS) =>
    FingerprintJS.load({
      endpoint: "https://metrics.yourdomain.com",
    })
);

For production deployments, we recommend routing requests to Fingerprint's APIs through your domain using the endpoint parameter. This prevents ad blockers from disrupting identification requests and improves accuracy. We offer a variety of ways to do this, which you can learn more about in our guide on how to protect your JavaScript agent from ad blockers.

When the user attempts to log in, make an identification request and send the requestId along with the user’s credentials to your authentication API.

async function onLogIn() {
  // Collect browser signals and request visitor identification
  // from the Fingerprint API. The response contains a `requestId`.
  const { requestId } = await (await fpPromise).get();

  // Send the user’s credentials together with
  // the `requestId` to your authentication API.
  const loginData = {
    userName,
    password,
    requestId,
  };

  const response = await fetch("/api/authenticate", {
    method: "POST",
    body: JSON.stringify(loginData),
    headers: {
      "Content-Type": "application/json",
      Accept: "application/json",
    },
  });
}

The following steps should be performed on the backend using data provided by the Fingerprint Pro Server API. If your backend logic is built on top of Node.js or any other popular server-side framework or language, you can use one of our Fingerprint Server API SDKs. Alternatively, one can also use the Webhooks functionality.

Let's check that the requestId is legitimate by hitting the Server API /events endpoint.

const requestId = req.body.requestId;

const fingerprintServerApiUrl = new URL(
  `https://api.fpjs.io/events/${requestId}`
);

const requestOptions = {
  method: "GET",
  headers: {
    "Auth-API-Key": "<secret-api-key>",
  },
};

const fingerprintServerApiResponse = await fetch(
  fingerprintServerApiUrl.href,
  requestOptions
);

// If there's something wrong with the provided data,
// the Server API will return a non-2xx response.
// We consider these data unreliable.
if (
  fingerprintServerApiResponse.status < 200 ||
  fingerprintServerApiResponse.status > 299
) {
  // Do not log in the user and flag the account
  // for suspicious activity and account sharing.
  persistUnsuccessfulLoginAttempt();
  reportSuspiciousActivity(req);
  flagAccountSharing(req);
  return getForbiddenReponse();
}

const requestData = await fingerprintServerApiResponse.json();
const visitorData = requestData?.products?.identification?.data;

The Server API response must contain information about this specific identification request. If not, the request might have been tampered with and we don't trust this identification attempt.

// The returned data must have the expected properties.
if (requestData.error || visitorData?.visitorId == undefined) {
  persistUnsuccessfulLoginAttempt();
  reportSuspiciousActivity(req);
  flagAccountSharing(req);
  return getForbiddenReponse();
}

Finally, we need to identify and flag accounts suspected of account sharing when they exceed a certain number of visitor IDs within a specific timeframe. By analyzing the number of logins or access requests and the number of different visitor IDs associated with an account within a given time period, such as 24 hours, we can detect potential instances of account sharing. The specific count of attempts and the duration of the time window may vary based on your use case.

// Get the number of unique visitors accessing an account
// during the last 24 hours.
const loginQuery =
  "SELECT COUNT(DISTINCT visitor_id) AS count FROM logins WHERE account_id = ? AND timestamp > ?";
const loginParams = [
  accountId,
  new Date().getTime() - 24 * 60 * 60 * 1000, // 24 hours.
];
const visitorLoginCountQueryResult = await db.query(loginQuery, loginParams);

// If the account had more than five visitor IDs during the
// last 24 hours, flag the account as suspected of account
// sharing and restrict access. The count of attempts and
// time window might vary.
if (visitorLoginCountQueryResult.count > 5) {
  persistUnsuccessfulLoginAttempt();
  reportSuspiciousActivity(req);
  flagAccountSharing(req);
  return getForbiddenReponse();
}

If the login attempt has passed all the checks, you can log the user in as usual and store the visitorId for future checks.

Conclusion

This guide provides a foundation for starting your journey towards preventing account sharing effectively. While it outlines the main steps, it is not exhaustive, and there are additional details to consider when creating a comprehensive workflow. Nonetheless, it should serve as a starting point for understanding the essential procedures. For more information on how Fingerprint Pro's Visitor Identification can improve your account sharing detection, we encourage you to explore our documentation or contact our support team.