What prevents your app from allowing simultaneous sign-in on multiple devices
In 2023, cross-device collaboration has become a necessity for most people. Under Apple's lead, various terminal manufacturers are building their own cross-device ecosystems, including but not limited to screen casting, clipboard sharing, data sharing between devices, etc. within the same ecosystem.
Current state
Even in this inevitable trend, many software companies have not kept up with cross-device collaboration. At the most basic level, many apps do not support the option for the same account to sign in on multiple devices. When we talk about multi-device sign-in or concurrent sign-in, we refer to signing in to the same account on multiple devices simultaneously, where the sign-in states between different devices do not affect each other and have independent and complete accesses.
For these apps that do not support concurrent sign-in, the normal approach is to automatically sign out the account on the first device at the time the sign-in on the second device succeed, without giving any prompt to inform the user.
Using auto-sign-in for convenience may seem beneficial to users, but it can cause problems for future use. For example, if you were automatically signed out of a device and need to use it again soon after, you might have to go through extra security steps like entering SMS verification codes or doing face recognition. These additional steps can bring more inconvenience, like needing specific lighting or poses for face recognition, and also come with some risks.
You might be wondering, what would be the preferable approach then? The better approach is to inform users that they can only sign in to one device at a time. When there's a conflict, it should be the user's choice to decide which device to remove or whether to cancel the sign-in attempt on the new device. This way, users have more control over the situation.
Challenges and potential solutions
We analyzed apps that currently do not support concurrent sign-in and found some potential issues faced by them, we are trying to post these problems and give our own possible solutions.
Compliance requirements
In some countries and regions, apps with specific categories (such as instant messaging and social media) require real-name registration to meet the compliance requirements.
How do apps respond to compliance requirements?
In response to such requirements, different apps have adopted different strategies:
- require real-name registration
- allow sign-up but only grant access to certain features after real-name verification
- achieve real-name requirements indirectly through means like requiring binding of bank cards for payment apps
With the existence of these requirements, the solutions adopted by different apps vary. One thing that can be confirmed is that — no app will prevent a user from creating multiple accounts on their platform. That is to say, they do not impose technical restrictions on using multiple accounts across devices, even if the accounts have the same owner.
Thoughts & possible solution
If the original intent of regulations was to trace an account's usage and devices through a unique account ID, current authorization protocols and technology can still detect which specific device initiated an activity even when a single account is signed in to multiple devices.
Enabling multi-device sign-in does not necessarily preclude regulatory traceability. With proper technical implementations, the account activities originating from each device can still be distinguished and tracked. Therefore, regulations can be adhered to without imposing single device restrictions on users.
Business growth considerations
We believe this issue should not be discussed at great length - every company has its reasons for commercial decisions.
A real case we have learned about
However, as we know, some companies encouraged users to create multiple accounts as a growth strategy early on. Later, these companies entered a new phase where for technical and business reasons, they needed to consolidate data across a user's multiple accounts, which required their teams to spend years trying to do account consolidation well.
What would we do if it were us?
Although having users create multiple accounts looks good for short-term growth, in the long run it becomes difficult for users to manage data across accounts, and companies struggle to extract valuable insights from many inactive "zombie accounts". This will harm user experience and increase operating costs.
So while encouraging multiple accounts per user may temporarily inflate growth metrics, it creates technical debt and hurts user experience in the long run.
Security reasons
Security concerns are possibly the most convincing reason for app publishers to justify to users why simultaneous multi-device sign-in is not supported.
Many people may accept this explanation without further thought, but we tried to find the real reasons.
Security measures in place
Let's consider banking apps, which have strict security requirements. When you open such an app, the first step is to sign in. Many bank apps offer the convenience of using Face ID or fingerprint to unlock and access the app. However, for more sensitive operations like large financial transactions, additional verification steps are necessary to ensure security. These steps often involve various forms of multi-factor authentication (MFA) and official online identity verification services provided by trusted third parties, often government agencies.
It's important to note that most MFA methods can only confirm that the current user has access to the device, but they cannot guarantee that the user is the legitimate account owner. It's possible for someone to have obtained the account credentials through other means. However, online third-party identity verification services address this limitation effectively. By combining the use of MFA and third-party identity checks for high-risk operations, many of the security risks associated with multi-device sign-in can be mitigated.
What else can we do from a product perspective?
So far, we have not found any technical-wise blockers that would prevent supporting multi-device sign-in from a security standpoint. If the current measures on a single device can ensure security, expanding to multi-device support would not introduce additional security risks.
We have determined that there are no technical barriers to supporting concurrent sign-in in terms of security. Furthermore, if security can be properly maintained on a single device, there is no major concern in extending support to multiple devices. It can be addressed without any significant problems.
However, some product measures can help further improve security (assuming concurrent sign-in has already been supported):
- Automatically sign out a device if there is no activity for a period of time.
- Support managing sign-in states and monitoring activities for all devices on each device. This allows users to forcibly sign out other devices when necessary, to ensure security.
- Push notifications about suspicious activities to devices, so users can judge if it is malicious actions and block as needed.
Is there any existing out-of-the-box solution that can help to solve these challenges?
Regarding the first two issues, we will not expand too much, since those involve business and regulatory considerations. However, if you are looking for an identity solution supporting concurrent sign-in, Logto is worth checking out!
The first issue mentioned needing to track which device each activity originates from. Logto's existing user activity logs already record device information, which can help Logto users meet compliance requirements in this area. Since compliance requirements differ across regions, there may be contradictions between regulatory rules in different areas. If you have any special needs, do not hesitate to contact Logto team.
As for the second issue of account consolidation, we were well aware of the difficulties and the importance of multiple sign-in methods for every account when designing Logto. Our sign-in and sign-up flows try to prevent redundant account creation, allowing one account to be accessed through different methods like Google, email, username/password, etc.
With respect to the "third party online identity verification services" mentioned in the third issue, Logto users can integrate with third parties to obtain this.
Logto's focus is on enabling MFA compatibility with mainstream methods (will release in 2023H2, subscribe our newsletter to get notified!), and combining configurations with our existing sign-in experience (Chapter1, Chapter2). We highly welcome any MFA use cases to share with us - those will provide important references for our final product. Any Logto feature adheres to three principles: secure, as easy-to-use as possible, and solving users’ problems. With our powerful sign-in experience configuration, users can easily build a business-ready sign-in/sign-up flow in no time. Logto ALREADY supports multiple-device sign-in. Once MFA is ready, Logto can bring users to a higher level of security!