ShieldLabs is an anonymous visitor identification and traffic quality platform. It analyzes device, browser, IP, and network signals, detecting mismatches between them to identify anonymous visitors and assign a real-time explainable risk score to every visit, as well as detect abuse patterns across your traffic.

What is ShieldLabs used for?

ShieldLabs is used to identify anonymous visitors, assess traffic quality, and detect abuse activity such as multi-accounting, fake account creation, account takeover, free trial abuse, bonus abuse, ban evasion, referral fraud, account sharing, coupon abuse, subscription abuse, giveaway fraud, voting manipulation, and survey fraud.

Who is ShieldLabs for?

ShieldLabs is best for startups, small-to-mid-sized businesses, and digital platforms with medium to high traffic volume that need a cost-effective anonymous visitor identification solution. Built for product, fraud, and growth teams at SaaS platforms, fintech, iGaming, e-commerce, Web3, media and streaming, travel, and technology platforms - any business dealing with anonymous traffic and abuse.

How accurate is ShieldLabs?

ShieldLabs detects anonymized connections and environment spoofing with up to 99% accuracy through multi-layer analysis.

How is ShieldLabs different from traditional abuse prevention platforms?

ShieldLabs delivers the same level of visitor identification and abuse detection used by platforms like Google and X / Twitter — with transparent per-request pricing, self-serve integration in 5 minutes, and an explainable risk score. No "Contact Sales," no enterprise contracts.

Can a visitor be recognized when IP changes?

Yes. ShieldLabs generates a persistent visitor ID. This identifier remains stable across sessions even when the visitor changes IP, clears cookies, switches to incognito mode, or creates a new account.

What is a persistent visitor ID?

A persistent visitor ID is a stable identifier assigned to each visitor. Unlike cookies or IP addresses, it survives IP rotation, cookie clearing, incognito mode, and account changes - allowing real-time recognition of returning visitors regardless of how they try to hide.

What is browser fingerprinting?

Browser fingerprinting is a technique for identifying website visitors by collecting unique browser signals such as browser version, preferred language, screen resolution, installed fonts, and graphics rendering. These signals are combined to generate a unique identifier that recognizes the visitor across sessions — even without cookies.

What is device fingerprinting?

Device fingerprinting identifies a visitor based on hardware and operating system signals such as device type, OS version, memory, processor, and screen parameters. Combined with browser fingerprinting, it produces a more stable and accurate identification.

How does device fingerprinting differ from browser fingerprinting?

Browser fingerprinting collects signals from the browser — version, language, plugins, screen resolution. Device fingerprinting collects signals from the hardware and operating system — device type, OS, memory, processor. ShieldLabs combines both to generate a persistent visitor ID with higher accuracy than either method alone.

Does ShieldLabs do device fingerprinting or browser fingerprinting?

Both. ShieldLabs analyzes 70+ signals across device, operating system, and browser to generate a persistent visitor ID. It then cross-validates these signals against network and IP data to detect mismatches and expose anonymous visitors.

Is browser fingerprinting safe?

For businesses, browser fingerprinting is used to identify anonymous visitors and distinguish between legitimate users and potentially fraudulent ones. ShieldLabs does not track users across sites and does not collect personally identifiable information during the fingerprinting process. For visitors, the process is invisible and adds no friction to their experience.

Can ShieldLabs detect a visitor in incognito mode or on a VPN?

Yes. Device and browser fingerprinting signals remain consistent even in incognito mode. VPN connections are detected through IP intelligence and cross-layer mismatch analysis. ShieldLabs identifies the visitor in both cases.

What can ShieldLabs detect?

ShieldLabs detects VPN, proxy, TOR, iCloud Private Relay, anti-detect browsers, tampered browsers, anti-fingerprint tools, data center and hosting infrastructure, environment spoofing, device tampering, location spoofing, timezone mismatches, and abuse activity. All detection works in real time.

Does ShieldLabs detect anti-detect browsers?

Yes. Anti-detect browsers are designed to mask device fingerprints and rotate identities. ShieldLabs detects them through cross-layer mismatch analysis, identifying the difference between what the browser claims and what is actually detected.

Can ShieldLabs detect fake accounts and multi-accounting?

Yes. The system builds an identity graph linking visitors, devices, and accounts across sessions. When the same person creates multiple accounts — even using different IPs, browsers, or anti-detect tools — the system connects them through shared device and network characteristics.

Can ShieldLabs detect account takeover?

Yes. When an account is accessed from an unrecognized device, suspicious connection, or unusual location, the system flags it as a potential account takeover.

Can ShieldLabs detect location spoofing?

Yes. The system detects timezone and geolocation mismatches between what the browser reports and what the IP and network reveal — indicating masked or spoofed visitor location.

Does ShieldLabs detect account sharing?

Yes. When multiple devices, locations, and network signatures access the same account, the system flags it as potential account sharing — helping protect subscription value and enforce per-user access.

Risk Score is a numerical assessment of explainable risk for every visit. It is calculated from anonymity indicators, cross-layer mismatches, and network signals. A high score indicates an increased probability of an anonymous or masked visit. Every score includes clear reasons for every contributing factor.

How is Risk Score calculated?

Each detected signal contributes to the final score - VPN detection, proxy connection, OS mismatch between browser and network, timezone conflict, data center IP, and more. Risk score reflects the cumulative risk level and explains each factor.

What is traffic risk level?

Traffic risk level is an overall assessment of anonymity across all your traffic. It shows what percentage of visitors are clean, low risk, medium risk, or high risk - giving you visibility into overall traffic quality.

Does ShieldLabs automatically block users?

No. ShieldLabs provides risk score, scoring reasons, and detailed visitor data. The blocking decision is made by you - either manually or through automated rules you configure.

What is an identity graph?

An identity graph is a map of connections between visitors, devices, and accounts. ShieldLabs builds this graph automatically by linking persistent visitor IDs, device fingerprints, and network signals across all sessions — revealing which accounts are connected and the risk level of each connection.

What are abuse patterns?

Abuse patterns are ready-made detection rules that identify suspicious connections between visitors, devices, and accounts — such as many accounts on one device, changing IDs on one account, or many devices on one account. Each pattern flags potential multi-accounting, account sharing, ban evasion, or coordinated abuse.

What is traffic quality?

Traffic quality is a measure of how much of your traffic comes from real, identifiable visitors versus anonymous, masked, or suspicious traffic. ShieldLabs assigns a risk level to your overall traffic and a risk score to every visitor.

How long does integration take?

Integration takes approximately 5 minutes. Add a code snippet to your site, and the system immediately begins anonymous visitor identification and real-time traffic analysis.

Which frameworks are supported?

ShieldLabs supports JavaScript, Next.js, React, Angular, Vue.js, Preact, and Svelte.

Does ShieldLabs provide API and Webhooks?

Yes. Risk score, visitor IDs, and detailed detection signals are available via API and Webhooks in real time for automation of fraud prevention rules and protection scenarios.

Does ShieldLabs affect real users?

No. The system operates in the background and does not require any additional actions from visitors. No CAPTCHAs, no challenges, no friction.

How does pricing work?

ShieldLabs offers transparent per-request pricing with a free tier. Start free, scale as you grow. No enterprise contracts, no "Contact Sales."

Is there a free plan?

Yes. The free plan includes 5,000 requests for initial traffic quality check and anonymous visitor identification.

Is account sharing the same as password sharing?

They overlap but are framed differently. Password sharing often means using a password manager to hand a credential to someone securely, which is deliberate. Account sharing detection is about noticing when one paid login is used by people who were not meant to have it, by counting the distinct devices behind the account rather than the password.

Can account sharing detection produce false positives?

Yes, it is the main risk to plan for. One real person uses several devices, and even two browsers on one laptop can read as two identities, so a high device count is a signal, not proof. Treat it as evidence, set the action threshold as a business decision, and prefer reversible responses over a hard block.

How is account sharing different from account takeover?

In account takeover, an attacker uses credentials the owner never authorized, so the goal is to stop them. In account sharing, the owner usually handed out the login on purpose, so the goal is usually to recover revenue or apply limits, not to lock anyone out. The signals overlap, especially impossible travel, but the intent and the right response differ.

Is account sharing illegal?

It depends on the jurisdiction and the terms of service rather than being a simple yes or no. In the United States, sharing credentials against a service's terms has been argued under the Computer Fraud and Abuse Act, though enforcement against casual sharing is rare. For most platforms it is a terms-of-service and revenue matter, not a criminal one.

How does ShieldLabs detect account sharing?

ShieldLabs assigns each session a persistent device identity linked to your account, then surfaces a pattern when one account accumulates many distinct devices, impossible-travel logins, or anonymity tools. It returns a risk score with the named signals, and your own rules decide whether to prompt an upgrade, limit sessions, or re-authenticate. The free tier covers your first 5,000 identifications.

Back to blog

June 12, 2026Account sharing Detection Fraud prevention

How to detect account sharing?

Vladislav PuhalskyProduct Manager

Account sharing detection: one login used by several people, revealed by counting the distinct device identities behind a single account over time

Last updated on June 15, 2026 · 11 min read

Account sharing detection is the practice of identifying when one login is used by several people, by counting how many distinct device identities sit behind a single account over time. It is the mirror image of multi-accounting: there, one person hides behind many accounts; here, many people hide behind one. For subscription and SaaS businesses, the second one quietly drains revenue, because every extra person on a shared login is a seat or a plan that was never bought.

Account sharing is the case teams most often get wrong, because the honest answer is uncomfortable: the same evidence that flags a sharer also describes a real customer with a phone, a laptop, and a work machine. This guide explains what account sharing detection actually is, how it works, the signals that reveal it, and how to act on it without punishing the people paying you.

Key takeaways

Account sharing detection counts the distinct device identities behind one login over time, rather than trusting the login itself. Too many separate devices on one account is the core signal.
It is not the same as password sharing in the password-manager sense, and it is not account takeover. Those are different problems with different fixes.
The hard part is false positives: one real person legitimately uses several devices and browsers, so the device count is a signal, not a verdict.
The right response is rarely a block. It is a prompt to upgrade, a session limit, or a re-authentication, decided by your own rules on top of the score.

Account sharing is when one set of login credentials is used by more than one person. On subscription platforms it ranges from a family passing around one streaming login, to a team using a single paid seat instead of buying more (the SaaS seat-sharing case), to credentials resold to strangers. The common thread is that the platform charges for one user and serves several.

It is worth separating it from three things it gets confused with, because each has a different fix:

Not password-manager sharing. "Password sharing" often means sending a password to a colleague securely. That is a deliberate, sanctioned act with a password manager. Account sharing detection is the opposite concern: noticing when one paid login is being used by people who were never meant to have it.
Not account takeover. In account takeover, an attacker uses credentials the real owner did not authorize. In account sharing, the owner usually handed the login out on purpose. The signals overlap, but the intent and the response differ.
Not just the streaming-password-crackdown story. The consumer headlines are about one large platform enforcing household rules. The same mechanics apply to any subscription or SaaS product, usually framed as protecting revenue rather than policing households.

This guide is about the subscription and SaaS case: detecting that one login serves many, so you can decide what to do about it.

Account sharing detection works by giving each session a stable identity, then counting how many distinct identities accumulate on a single account over time. The login alone cannot tell you this, because everyone signs in with the same credentials. What separates the users is the device and the connection behind each session. Academic work on the problem in 2024 reached the same conclusion: the most reliable signal is the set of distinct devices behind a login, not anything in the credentials themselves.

The mechanic is the inverse of multi-accounting. There, you link many accounts back to one device to prove a single person is behind them. Here, you link many devices to one account to prove several people are behind it. Both rely on the same foundation: a persistent device identifier that survives a cleared cookie and a rotated IP, so a returning session is recognized as the same machine and a genuinely new machine stands out.

Tie that identifier to the account in your system, watch the count of distinct devices grow, and a shape appears. One account touched by two or three stable devices over months looks like a household or a person with a few gadgets. One account touched by a dozen unrelated devices in a week looks like a login that has been handed around.

One account linked to many distinct device identities over time, the inverse of multi-accounting where many accounts link to one device

No single signal proves sharing. The picture comes from reading several together and weighing how far the account drifts from single-user behavior. These are the ones that do the work:

Signal	What it indicates	Strength
Distinct device count	Many separate device identities on one account over time, surviving cleared cookies and rotated IPs	High
Impossible travel	The same account logging in from locations too far apart to travel between in the elapsed time	High
Geographic spread	Logins clustered in places no single household or person would span	Medium
Anonymity tools	VPN, proxy, or anti-detect browser used to mask out-of-household or resold access	Medium
Sequential bursts	A login passed between devices in turns, never overlapping, which session caps miss	Medium

The strongest single signal is the distinct device count, because it reflects the real machines behind the login rather than anything the users can edit. Impossible travel is the next, since two logins on different continents only minutes apart cannot come from one traveling person, and so is plain simultaneous use, two or more devices active on the same account at the same time in different places. Anonymity signals confirm the picture: a VPN, an anonymous proxy, or an anti-detect browser, plus an OS mismatch or a timezone mismatch between what the connection claims and what the device reports, all point to out-of-household or resold access. These signals are weighed together rather than acted on one row at a time, since any one of them in isolation describes plenty of ordinary users.

How aggressive any of these looks depends on the time window you measure over, which is itself a tuning decision. A short window tolerates a real user switching from a phone to a laptop and back, but lets slow, take-turns sharing slip through; a longer window catches the sharing that takes turns over days, at the cost of flagging more legitimate multi-device use. There is no universal threshold, only the one that fits how your own customers actually behave.

Why a concurrent session limit misses it

The usual first instinct is a concurrent session limit: cap how many sessions can be active at once. It helps, but it only sees sharing that overlaps in time. The most common kind does not.

A family or a team passing one login around tends to take turns. One person watches in the evening, another the next morning; one colleague uses the seat on Monday, another on Tuesday. At no single moment are two sessions live, so a concurrent cap sees nothing wrong. Identity-based detection catches it because it counts distinct devices over time, not sessions at one instant. That is the gap a session limit leaves open, and it is where most real sharing lives.

The hard part: not punishing real users

Here is the uncomfortable part most write-ups skip. The same evidence that flags a sharer also describes a normal customer. One real person routinely uses a phone, a personal laptop, and a work machine, and may add a tablet and a smart TV. Each is a distinct device. A high device count is suspicious, but it is not proof.

It gets subtler. A device identifier is read in the browser, so the same person using two different browsers on one laptop can register as two devices, because the browser fingerprinting signals differ between them. A household behind one shared home IP can look tighter than it is, and a single traveler on a VPN can look like impossible travel. None of these is a sharer.

The honest conclusion is that account sharing detection produces a signal, not a verdict. The device count, the travel, the anonymity tools, raise or lower confidence, but the threshold for action is a business decision, and the safest responses are reversible. This is exactly why a system that returns the reasons behind a score beats one that returns a yes-or-no: you can see whether an account tripped on five devices in one city or twelve across three continents, and treat them differently.

Because the evidence is probabilistic and your customers are paying you, blocking is rarely the right first move. The responses that work treat sharing as a revenue and a security question rather than a punishment:

Prompt an upgrade. When an account shows a sharing pattern, offer more seats or a family plan. The goal is to convert the sharers into paying users, not to lock anyone out.
Limit concurrent sessions. Cap simultaneous logins on accounts that drift past a threshold, which nudges heavy sharing without touching ordinary use.
Re-authenticate new devices. Ask for a second factor when an unfamiliar device appears on a sensitive account, which also covers account takeover.
Reserve hard blocks for the clear cases. Save a real restriction for accounts whose pattern only resale explains, like dozens of devices across many countries.

The thread is that detection informs the response, but your own rules own it. The data layer tells you how many people sit behind a login and how confident it is; what you do about it depends on your product, your pricing, and your tolerance for friction.

ShieldLabs gives every session a persistent device identity and lets you attach it to the account in your system, so it counts the distinct devices behind each login over time. When an account behaves like many users, a pre-built pattern for account sharing surfaces in the analytics dashboard, alongside an impossible-travel pattern when the same account logs in from places it could not have traveled between.

Each session also returns a risk score from 0 to 100 with the named signals behind it, including the anonymity signals, a VPN, proxy, or anti-detect browser, that often accompany resold or out-of-household access. ShieldLabs scores and names the evidence. You get the risk score and named anonymity signals through the API and webhooks and decide, by your own rules, whether to prompt an upgrade, limit sessions, or re-authenticate to prevent account sharing, so the verdict stays in your application.

Frequently asked questions

WebGL fingerprinting: a hidden 3D scene rendered by a device's GPU into a distinct hash that identifies the graphics hardware

Browser fingerprinting Device intelligence

What is WebGL fingerprinting? How the GPU gives a device away

WebGL fingerprinting identifies a device by how its GPU renders 3D graphics. How it works, what it reveals, and how it differs from canvas.

Pavel NuryieuHead of ResearchJune 29, 2026

TLS fingerprinting: a client's TLS handshake, its cipher suites and extensions, condensed into a JA3 or JA4 hash that identifies the software behind the connection

Browser fingerprinting Network signals

What is TLS fingerprinting? How JA3 and JA4 identify a client

TLS fingerprinting identifies the software behind a connection from its TLS handshake. How it works, what JA3 and JA4 are, and what it reveals.

Vasil MakarchukChief Technology OfficerJune 29, 2026

Font fingerprinting: the set of fonts installed on a device measured from how text renders, condensed into a value that identifies the device

Browser fingerprinting Device intelligence

What is font fingerprinting? How your installed fonts identify you

Font fingerprinting identifies a device by which fonts are installed, read from how text renders. How it works, what it reveals, and how stable it is.

Pavel NuryieuHead of ResearchJune 29, 2026

What is account sharing?

How account sharing detection works

The signals that reveal account sharing