---
title: Account sharing
description: Account sharing is one account used by several people who aren't the owner: a password passed around a household, team, or group. Rupt detects it from device counts, concurrent sessions, and impossible travel.
---

# Account sharing

Account sharing is when one account is used by more than one person: a login passed around a household, a team seat split between coworkers, a subscription resold to strangers. The credentials are correct every time, so nothing looks wrong at the auth layer. The tell is the pattern of use over time: more devices and more locations than one person racks up, plus activity in two places at once.

This is the risk Rupt v2 was built around, and it's scored on the `access` [action](/docs/v3/concepts/actions). It also stays in play on `login` so you can act at sign-in rather than waiting for the next page view.

## What Rupt looks for

- **[Device count](/docs/v3/concepts/devices)**: how many distinct computers, tablets, and phones have touched the account. Counts are tracked per device type, since five phones on one account reads very differently from five shared computers.
- **[Concurrent sessions](/docs/v3/concepts/concurrency)**: the account is active from two places at the same time, which one person can't be.
- **[Impossible travel](/docs/v3/concepts/impossible-travel)**: back-to-back activity from locations too far apart to bridge in the time elapsed.
- **[Velocity](/docs/v3/concepts/velocity)**: an unusual rate of activity for a single user.

## Severity and response

The checks aggregate into an `account_sharing` [risk](/docs/v3/concepts/risks) severity. Sharing is rarely something you want to hard-block, since the account holder is often involved, so most teams [challenge](/docs/v3/concepts/challenges) to re-verify the owner, or [add them to a list](/docs/v3/concepts/lists) for follow-up and treat repeat offenders as an upsell to a larger plan. Your [policies](/docs/v3/concepts/policies) decide which.