Build

Mitigate and Prevent Subscription Sharing for SaaS Companies

Stephen Blum on Aug 29, 2023
Mitigate and Prevent Subscription Sharing for SaaS Companies

With any subscription based service, particularly SaaS, companies (like Netflix and Adobe Creative Cloud) are dealing with the problem of account subscription sharing. A user can begin a subscription and give another user their login credentials. So how can we mitigate, or better yet, prevent subscription sharing for subscription based services?

In this blog post, we'll look at strategies to mitigate and prevent subscription sharing between users.

Data Stream Network Security Guide for Mitigating Account Sharing Between Users

This is a guide on how to mitigate sharing access and stealing your business subscription revenue by preventing account sharing for subscription based businesses and websites.

The PubNub Data Stream Network provides a set of core “building-block” services that can be used to build and scale a wide range of applications. PubNub provides a reliable geo redundant signaling solution (WebSockets, XMPP, BOSH, Comet, HTTP Long-polling, etc.) with many design patterns and over 70 SDKs to fit your growing business needs including Android Java, iOS Objective-c and JavaScript Web/Mobile.

In this document, we will describe to you a growing demand for a new security pattern being requested by security focused businesses. This Design Pattern document describes a unique technique and business solutions around a customers requirement to have one connection, and one connection only, per authenticated user when using a Data Stream Network similar to C# .NET SignalR, SocketIO / SocksJS for Node.JS JavaScript.

Business Application and Opportunity Loss with User Subscription Sharing

The use-cases can vary. Maybe its a music-streaming product, like Spotify, that would like its users to use it services locked to one device only and hence will log-off the user already signing in. Maybe it’s a hotel-chain that wants its guests to only be able to use one card key for one room and hence will not allow any new keys to be set.

We've had this conversation many times here at PubNub and there are many more business-driven scenario which will derive value from our point solution design pattern. Does any of that sounds familiar?

List of Tools to Prevent Subscription Sharing

  1. Access Authority Database (Identity Management)
    • Any directory and identity management database (LDAP, MySQL, Oracle, PostgreSQL, etc) containing your user identities such as Email/Password services you already have implemented.
    • Alternatively OAuth or Third Party Identity Management systems like Twitter, Facebook or LinkedIn.
  2. PubNub Account

Two Options to Prevent Subscription Sharing

You are now ready to make a decision between two business rules to follow when restricting access to users who share their security login credentials. When a user is authenticated by your identity management system, you will have two choices on how to proceed with granting access through your subscription paywall.

Option One is to remotely force logout any devices associated that have been granted access to the subscription service. Option Two is to block access to subsequent login attempts while another use is online and logged in on another device.

Option One: Force Remote WebSocket Logout

You would like to always accept new logins by revoking previous login sessions and issuing new access keys. The new grant (the latest grant request) will be the only user who has account subscription access. You would like to deny and block access because another user has an existing session in use.

  1. User will Request Access with Email/Password or 3rd Party OAuth.
    • POST Parameters include Email, Password, RSA Public Key.
  2. Find the associated User Account in the Identity Database.
    • Use Administrative Access Keys (PubNub Secret Key, Publish Key and Subscribe Key) to generate a new PubNub Data Stream Network class instance. PubNub SDKs provide you the secure websocket data stream which allow you to mitigate account accesses sharing.
    • Revoke all previous granted access associated with this user account and issue a PubNub.Revoke({...}) from the previously granted access keys. This will force all remote sessions to be logged out in real time!
    • Save or Overwrite RSA Public Key from User’s Access Request.
    • Key Rotation – Regenerate The Following Keys: Cipher Key, Auth Key, Channel Name, Session ID (SID) and store in database.
    • Use newly generated Auth Key and Channel Name to issue a PubNub.Grant({...}) – with a Session TTL of 1 Hour.
    • Respond to authenticated request for key exchange with the new credentials over TLS HTTPS Secure Stream with the following keys: PubNub Subscribe Key, Cipher Key, Auth Key, Channel Name, Session ID (SID).
  3. User’s Client Device will incorporate secure credentials into PubNub Data Stream class instance instantiation.
  4. Repeat Process Each Hour or Each Cycle based on Key Rotation Policy.
  5. Send Subscription Material/Signals via PubNub.Publish({ … }) methods with user’s keys.

Note in Step (2.4) – we ask you to generate a new channel name. However you may not need to generate a new channel name if the data stream source is a shared channel such as a stock quote symbol channel stream.

Option Two: Block Access while WebSocket Subscription in-Use

Any user who has a shared email/password will be blocked access while another user is using the subscription service. You can accomplish access blocking this by following these steps:

  1. User will Request Access with Email/Password or 3rd Party OAuth.
    • POST Parameters include Email, Password, RSA Public Key.
  2. Find the associated User Account in the Identity Database.
    • Use Administrative Access Keys (PubNub Secret Key, Publish Key and Subscribe Key) to generate a new PubNub Data Streams class instance with Presence Options Enabled.
    • Use PubNub.Here_Now({ … }) on the associated User’s Channel Name to detect if there is an active device session subscribed.
    • If there is an active live session, deny the access request.
    • If no active sessions exist, proceed with Step 2 from the Option One above.

Both of the options above provide to you the necessary steps required to prevent subscription sharing for subscription based paywall websites and apps. These steps are generalized to control access and mitigate duplicated permission grants allowing you to manage access and deny request for access based on your business requirements.

Resources