Detecting Account Sharing and Repeated Trials in Firebase Auth with Upollo

Firebase Auth is a great tool to add account management to your app or service. It takes care of the myriad of ways people like to login.

However, Firebase can't tell you anything about the people behind those accounts. It can't tell you if Bob creates a new account every month so he can get the free trial again and again. It also can’t tell you that Peter and Patsy have created one account and share the password so they only have to pay once.

With Upollo you can detect these events and nudge the user onto the right path. You can detect that Bob is creating his 10th account, stop giving him the free trial and convert him into a paying customer. You can tell Peter and Patsy that you know they are sharing an account which is against your policy and get them to upgrade their account.

To learn more about the opportunities in converting repeat trial users and account sharers see Turn Repeated Trials Into Growth and Grow By Understanding Account Sharing

This article will focus on web applications but the same applies to mobile apps as well.

Detecting account sharing and repeated trials in Firebase​

Consider, if you are logging in using signInWithPopup from the Firebase SDK.

import { GoogleAuthProvider, signInWithPopup } from "firebase/auth";

const authProvider = new GoogleAuthProvider();
authProvider.addScope("profile");
authProvider.addScope("email");

await signInWithPopup(auth, authProvider);

Instead of continuing your login flow after that you would use the assess method from Upollo Web Library with the user details returned from firebase. In the returned flags you can see if it is a repeated action or account sharing.

import { UpolloClient, EventType, FlagType } from "@upollo/web";

const upollo = new UpolloClient(“ADD_API_KEY_HERE”);

const userCredential = await signInWithPopup(auth, authProvider)
const user = userCredentials.user

const identifyResponse = await upollo.assess(
  {
    userId: user.uid,
    userEmail: user.email,
    userPhone: user.phoneNumber,
    userName: user.displayName,
  },
  EventType.EVENT_TYPE_LOGIN
)

const flagTypes = identifyResponse.flags.map((flag) => flag.type);

if (flagTypes.includes(FlagType.ACCOUNT_SHARING)) {
  // The user was account sharing
  // let them know they should create their own account.
}

if (flagTypes.includes(FlagType.REPEATED_SIGNUP)) {
  // The user was repeating the trial
  // dont offer the trial for free.
}

// otherwise let the user continue normally

For an even more secure solution, you can repeat the same checks server side by using the Upollo token and one of our server side libraries to validate the flags on your server.

If you are interested in this space and would like to hear more, please sign up and follow us on LinkedIn or Twitter.