Sat May 29, 2021 3:21 pm
There's no way to prevent, in advance, third parties from logging in using credentials they've obtained from an authorized person, with or without consent/intention of the authorized person.
You can ban the account after you notice that, but it's typically too late. To some extent, two-factor authentication can help, as people usually don't share their mobile phone with friends, but it's still not 100% reliable, as the authorized persons may still willingly authenticate others' access.
Client-side certificates can help against intentional sharing of the account, but only if generated the proper way and only if they cannot be exported at the client side, so hardware tokens ("smart cards") holding non-exportable certificates are the only way (on some operating systems the certificates can be exported easily, on other ones it requires a serious effort, but you don't know in advance what operating systems your clients will use). But even a hardware token can be used for authentication of a 3rd party if stolen, unless you use 2FA along with it and unless the second factor has not been stolen too. Hardware tokens that require entering a password to use the certificate seem safe against both intentional sharing and theft, but not against torture/blackmail of the authorized user.
When trying to identify whether a particular access attempt is a "legal" one or not, you cannot rely on anything - several authorized users may connect from the same public IP due to CarrierGradeNAT so you cannot check the IP; people may connect from a mobile phone so the same device may establish two sessions, one via WiFi and the second one via mobile data. So you cannot link the account to a fixed IP address to detect credential sharing or theft.
You can limit the number of simultaneous connections using the same credentials, but definitely not to a single one, for the reasons above. And nevertheless expect problems in case of some outages, where the client will establish a new session while the server will still deem the previous sessions alive.