2

Software companies like Autodesk, Adobe, etc all offer online licensing schemes with the following features:

  • (1) to use the software, you must login from your workstation to activate your license
  • (2) the software may phone home periodically to ensure the validity of your license and also tell the license server that the license is in use
  • (3) once you activate your machine, if you lose internet you can still use the software for a period of time (often days/weeks)
  • (4) you may migrate your activation from machine to machine, but not activate multiple machines simultaneously

What I don't understand is how (3) and (4) are implemented without easily being abused. What's to stop a user from activating a machine and then denying the application internet access once the license is authenticated? Lack of phoning home from that point on will cause the license server to think the machine is offline (2), allowing you to authenticate a different machine in accordance with (4) while continuing to use the software on the previous machine (3).

Surely there are ways to setup a license scheme like this without enabling such an easy bypass...but I'm having a hard time thinking of any. Of course one idea would be to keep some application logic server-side, requiring an always-online connection, but that precludes (3), which is important for mission critical software.

Any ideas?

Tyson
  • 167
  • 2
  • Does this answer your question? [Should I spend time preventing piracy of my app?](https://softwareengineering.stackexchange.com/questions/267981/should-i-spend-time-preventing-piracy-of-my-app) – gnat Jul 23 '21 at 05:32
  • 1
    @gnat No, obviously not. – Tyson Jul 23 '21 at 06:30
  • 1
    "What's to stop a user from activating a machine and then denying the application internet access once the license is authenticated?" – It's illegal and most people are not criminals. – Jörg W Mittag Jul 23 '21 at 08:52

1 Answers1

2

There usually is a grace period, where offline use is limited to a number of days. This expiration must be stored on the workstation, but it can be encrypted, possibly locked to some hardware properties to prevent editing or distribution.

When going back online, the application might send back usage information, providing more information for the server to detect abuse patterns.

If abuse is detected, they can still decide (as a policy) if and when to intervene (block the account?). But for the risk of losing a customer, I suspect the usual policy is to take the collateral damage. (Who can work without internet anyway?)

Kris Van Bael
  • 1,358
  • 6
  • 10
  • 1
    Locally collecting usage info while offline which could contribute to some kind of abuse heuristic during the next authentication is definitely an interesting idea...thanks for the suggestion. – Tyson Jul 23 '21 at 06:33
  • Blocking the Internet is not required, blocking the 'phone home' address is enough, and does not affect usability – Maxime Jul 27 '21 at 16:51
  • @Maxime, that would be cumbersome if it is the same service that the app needs to refresh its offline grace period. – Kris Van Bael Jul 28 '21 at 05:51