Block accounts using the same device

Castle's device fingerprinting makes it possible to accurately identify the same device even if used by multiple different user accounts. This is referred to as multi-accounting and is a common fraud problem.

Depending on your tolerance for this problem, you may want to either block these signups directly, or put the account on hold while reviewing it, especially if some kind of reward is given to new signups.

With Castle provides ways to detect and take action on accounts using the same device. In the first part, we'll find all users sharing the same device by using the "Multiple Accounts Per Device" signal, which will trigger if there are more than one user on the device.


If you are ok with a few accounts sharing a device, such as a family computer and instead want to protect against excessive amounts, you can use the Metric "Accounts per Device" and set an arbitrary threshold on the number of accounts. See Metrics for information on how to do this

Step 1. Find and verify unwanted multi accounting

Step 2. Create a policy to deny multi accounting sign-ups

Follow the steps how to create a policy, and provide these options:

  • For name, use e.g. "Deny multi-accounters"
  • For event, select "Registration" and then $attempted
  • For condition, select "risk-based" and then "Don't use a risk score"
  • In the Risk signals section, expand it and check the signal "Multiple accounts per device"
  • For inline action, select "deny"
  • Verify the settings and hit "save"

Finally, enable and re-order the policy to put the new policy to work