Mobile app version of vmapp.org
Login or Join
Hamaas447

: How to maintain unique user per paid account in a website with given set of Email ID and password? For a website, there is a free and a paid membership option. Once the user pays some amount

@Hamaas447

Posted in: #Authentication #Password #Users

For a website, there is a free and a paid membership option. Once the user pays some amount he gets a membership for a month for additional products that are not in the free account on the website.

Now once the user pays and gets a membership, how to make sure that only one user accesses the account ? I just want that only one user should use a paid account and even if he gives the set of Email ID and password to his friends, they shouldn't be able to login.

So what do I need to do for this ? There are many sites that offer paid membership options. Do they do anything special to restict one user per paid account ?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Hamaas447

2 Comments

Sorted by latest first Latest Oldest Best

 

@Nimeshi995

There is no simple solution to this problem. Static passwords may be shared among friends. Tracking mechanisms (IP-addresses, cookies) will turn up "false positives" (i.e. rejecting real paying members) - which is very bad for business.

Using a OTP (One Time Password), as suggested by Steve, is probably not practical, as it does not allow casual use, and is easily bypassed (the user can pass on the one-time password to the friend by SMS forwarding or even voice).

My proposal (if you think that discouraging sharing is a good idea - it may not be a good idea - read the last paragraph), is the following:

Provide an EULA where you make it clear that sharing the password with friends is not allowed and will result in immediate loss of access. This should discourage sharing, since the member will jeopardize his or her own invenstment by sharing the password. Unfortunately, it is not easy to actually discover sharing (you can't rely on cookies or IP-addresses). However, non-technical users will not know that. One pretty robust indicator that the password has been shared if there a two (or more) simultaneous active sessions with different IP-addresses - so you may even be able to catch some that violates this policy.

To discourage sharing of the downloaded documents, you may only allow users to download a non-volatile document format (e.g. "protected" PDF), and put a visible watermark on each page with the user's identity. If "shared" documents are leaked on the Internet, you will know who to blame. Again, the idea is to make it clear to users that it is possible for you to learn about policy violations. (You may also try to not allow downloads, but this is not really practical - if it can be displayed, it can be downloaded.)

In addition to the above, you may use third-party authentication with an authenticator provider that does not provide disposable identities (e.g. Google Authenticator). Users will be more reluctant to give friends access to such an identity, since a Google identity (for example) "at large" may harm the owner of that identity if it gets in the wrong hands. (It is possible to create a "disposable" identity with most of these third party schemes - but to do so requires skill and some knowledge.)

However, the plain truth is that it is impossible to protect information behind a pay-wall from being shared.

Whatever you do, someone can pay access, login once, and download all that is available (it may be one work, or it may be your entire database - depending upon your pricing/access scheme. And when something has been downloaded, it can afterwards be shared with friends, classmates - or the entire world.

The publishing and music industry as been looking for a solution for this for ages. They call it "DRM", and the truth is that it does not work. The most successful strategy is probably not to worry about sharing. Instead, put your efforts into making your product attractive, and the majority of your paying customers so loyal that they do not want to scam you. This essay by Tim O'Reilly is recommended reading for aynyone asking the type of question you ask: plus.google.com/+TimOReilly/posts/BEDukdz2B1r

10% popularity Vote Up Vote Down


 

@Pierce454

It is pretty difficult to implement something like this. You can't do it based on IP number because most people have dynamic IP. Even if it was only some people, you would have a problem.

You could do it via a cookie, but I reckon you are creating a support nightmare for yourself as some people don't accept cookies, people delete cookies. Besides, what is to stop the person who is using someone else's email saying "I deleted all my cookies".

If you wanted to you could send an SMS with a unique password each time someone logs in...but good luck with people enjoying that experience, because they won't.

It is like with software, music, just about anything, there will always be a percentage of people who will scam the system.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme