Best practices to prevent login sharing on high-ticket B2B plans?

Hi everyone,We have built a premium B2B subscription SaaS platform using Community Builder. To allow companies to scale, we’ve integrated the Family Plan feature so customers can purchase additional seats.Given that our B2B plans are higher-priced, we are concerned about the risk of credential sharing—specifically, organizations buying a single license and sharing the login details across an entire team or department.We want to curb this behavior, but it’s critical that we minimize friction for legitimate users.

• How are you handling concurrent session management or login limits within CB?
• Are there specific plugins, configurations, or workflow best practices you’d recommend to prevent account sharing without ruining the user experience?

Any advice or tips would be greatly appreciated!

CB AntiSpam provides duplicate login and login sharing protection.

The duplicate login protection ensures an account can only ever have 1 login session. For example if Person A logs in as User A and then Person B logs in as User A then Person A is logged out. The login sharing protection is just ip address based and prevents different ip addresses from logging into the same account at the same time.

Both of these features can be configured to block in a number ways. For example just denying logins or logging someone out. To also blocking the entire account temporarily or permanently.

Hi krileon,Thanks for the quick reply!That’s great news—we actually already have CB AntiSpam installed to handle Captchas during registration, so I will definitely dive deeper into those settings to see how we can configure the duplicate login and IP protections.Since we are exploring all our options, I have two quick follow-up questions regarding how far we can take this protection:

• Device-based Activation Limits: Is there any feature built into CB AntiSpam (or another CB extension) that can limit the specific number of devices tied to an account? For example, capping it at 2 allowed "activations" so a user can use their work computer and smartphone, but nothing else?
• Sequential Account Sharing: The simultaneous IP/login block sounds perfect for concurrent users, but does CB have a way to deter "sequential" sharing? For instance, if Person B logs in from a different location after Person A has logged out for the day?

Your first suggestion regarding concurrent session and IP blocking might very well be enough for our needs, but I just want to make sure I'm fully aware of what’s possible within the ecosystem.Appreciate your help with this!

Device-based Activation Limits: Is there any feature built into CB AntiSpam (or another CB extension) that can limit the specific number of devices tied to an account? For example, capping it at 2 allowed "activations" so a user can use their work computer and smartphone, but nothing else?

No, that'd require device fingerprinting. It functions pretty much exclusively off ip address and session. I can add device based login protections if you want, but it'd primarily just be User-Agent based and is easily spoofed so it's not that great for reliability. Fingerprinting maybe implemented at some point though.

Sequential Account Sharing: The simultaneous IP/login block sounds perfect for concurrent users, but does CB have a way to deter "sequential" sharing? For instance, if Person B logs in from a different location after Person A has logged out for the day?

Yes that's supported. So there's 2 features for login protection that function a bit differently. Those 2 can be combined if desired. They function as follows.

Login Sharing
This is entirely IP Address based. Its main purpose is to stop someone from sharing their account with people across the global. Pretty much limits people inside of a household depending on the network setup.

So if Person A login at location A into User A then Person B OR Person A login at location B into User A you can prevent this. You can block the account, deny the login, or logout the current login session.

Duplicate Logins
This is entirely login session based. So it doesn't care where they're logged in from. It just determines if they've an existing Joomla session or not and will act accordingly. Its main purpose is to stop 2 different people from logging into the same account at the same time.

So if Person A is logged in to User A then Person B login into User A then you can also do a number of things here no matter where they are. You can block the account, deny the login, or logout the current login session

The reality is you won't 100% prevent this, but you'll make it very annoying for company to try and share accounts. That annoyance is a solid enough deterrent 99% of the time. I'd recommend Duplicate Logins for your usage at the very least so an account can only ever be used by 1 person at a time as all other sessions get deleted on login.

Hi krileon,

Thanks for the detailed breakdown.

Regarding device tracking—please do consider adding device fingerprinting to the roadmap for the future.

Restricting strictly by IP would definitely introduce too much UX friction for them—especially since the user might frequently switch between the office network, home Wi-Fi, and mobile data during their daily commutes.
Because of that, we will settle on the Duplicate Logins method for now.

Since we prefer a "soft touch" approach right now, are there any built-in features within CB AntiSpam (or perhaps using CB Auto Actions) to simply monitor and log behavior instead of automatically blocking it?

For example, we would love to track or get a notification if an account logs in from more than 3 unique IPs in a single day, or has an unusually high volume of login/logout actions. If we can audit this data, we can flag suspicious accounts and reach out to them directly with a gentle warning email, rather than frustrating a paying customer with an automatic lockout.

What would be the best way to set up that kind of internal auditing within the CB ecosystem?

Thanks again for your amazing support!

The blocking behavior is entirely customizable. For example you don't have to block the account. You can just have it log out any other login session. The idea being no matter the device and no matter the location only 1 session can exist for an account at any given time.

Since we prefer a "soft touch" approach right now, are there any built-in features within CB AntiSpam (or perhaps using CB Auto Actions) to simply monitor and log behavior instead of automatically blocking it?

Yes, it has logging support.

For example, we would love to track or get a notification if an account logs in from more than 3 unique IPs in a single day, or has an unusually high volume of login/logout actions. If we can audit this data, we can flag suspicious accounts and reach out to them directly with a gentle warning email, rather than frustrating a paying customer with an automatic lockout.

There's support for new device notifications that can be sent to the user and/or moderation.

What would be the best way to set up that kind of internal auditing within the CB ecosystem?

It's all entirely configured within CB AntiSpam > Parameters > Login.