Discuss Home · Bootstrapped Podcast · Scribbleton Personal Wiki · HelpSpot Customer Service Software · Thermostat NPS

Online Activation for desktop software


#1

Hi guys,
My software is licensed per user and currently doesn’t have an online activation. It has a SoftwarePassport/Armadillo licensing/copy protection system.

But I noticed that some of my users install a license key for 1 user on 5-10-30 computers. Also there are some cracked version available, because for Armadillo there are plenty of hack tools and tutorials.

I decided it is a good time to add an online activation system for my desktop tool.
Something with public/private keys to prevent a possibility of a fake activation server.

But I understand that a normal user can install the program on couple of computers and change computers / update hardware from time to time.
Once I used a program that allowed 7 activations totally and it took me about 5 years to have all 7 activations used. Then I had to contact support so they enabled another 7 activations. But I didn’t like that experience.

How many activations per week/month/year/total should an online activation system allow?

What are the best practices?
Maybe to allow 2 activations per week, 3 per month, but not more than 5 or 6 per year but to check that some old installations are not active? Or something similar.

IMO the online activation system should also track that some PC are not in use anymore and somehow should “forgot” about these old activations.


#2

My answer will be biased (I’m the founder of the company that makes LimeLM – licensing for Windows, macOS, Linux, and BSD ).

The question you’re asking is a bit like asking “how do I build a car?”. And the answer to that is you’ll be able to build a mediocre soap box derby car in a weekend with your kid. Or if you want to build a great soap box derby card, it might take several weekends. But building a real car? A car you can drive from point A to point B in real-world conditions? It might take you years to build a very bad one from parts found. And it almost certainly would not pass an inspection (from an inspector that wasn’t a friend or who wasn’t bribed).

To state things plainly: building accurate, fast, good software licensing that doesn’t cause customers to lose their mind is hard. Very, very hard.

We’ve been selling software licensing for a bit more than a decade and our licensing is used on hundreds of millions of devices in every industry in just about every conceivable device configuration. And even today we see weird device configurations that we have to handle.

To sum up: buy something off the shelf. There are a few good licensing solutions out there. We’re one of them.

Now, digging into your questions:

I decided it is a good time to add an online activation system for my desktop tool.
Something with public/private keys to prevent a possibility of a fake activation server.

Yes, asymmetric encryption (RSA or ECC) is a start. Every programming language has some library or something built into the language that you can use. Read the documentation (don’t use Stackoverflow – there are so many bad encryption examples there it’s unbelievable).

Also, if you’re going down this rabbit hole to stop all cracking, I’ll have to break the news to you: it’s not possible to stop (or even slow down) cracking.

If you’re implementing online activation to increase your revenue from legitimate customers, then yes, you’re doing it for the correct reasons (although I’d still strongly recommend buying off-the-shelf).

But I understand that a normal user can install the program on couple of computers and change computers / update hardware from time to time.

That’s the whole ballgame. Correctly “fingerprinting” computers (and handling legitimate changes to the same computer over time) is what separates garbage licensing products from licensing that is actually good. Honestly, you need to take all of the components of the computer, and correctly “weight” them, and generate a unique ID from those components (while still accounting for legitimate changes).

My advice: buy 20 or 30 computers and install a variety of OS systems that you’ll be supporting. Then buy a handful of external network adapters, harddrives, and other components to plug / unplug to/from these devices. That will get you a very bare-minimum start of the many weird configurations that your customers will have. Now you have to write the first-draft algorithm.

How many activations per week/month/year/total should an online activation system allow?

For a well written licensing product? 1 activation per machine. And you can optionally allow customers to move between machines.

IMO the online activation system should also track that some PC are not in use anymore and somehow should “forgot” about these old activations.

With floating licensing that’s possible. With node-locked licensing what you’re describing is impossible. I can dig into this and explain it in-depth if you’d like. You can read our article about the difference between floating licensing and node-locked licensing and you can probably figure out why it’s impossible.


#3

Actually I like to handle such cases like
Case 1. The user purchased 1 license for himself. But he needs to install it on 2 Computers: his office PC and his laptop to travel to his client. This case is quite normal.

And then the user buys a new PC to replace the old one, and the program should work there as well.

Case 2:
A Company purchased 5 user license. They Installed the program on 5 computers. 2 computers went broken or burned. So there is no way to deactvivate a license on these 2 computers. But the activation system
should allow them to use the program on 5 PCs.


#4

once upon a time I did my own RSA keygen system, which I still use. No problem with keygens, but plenty of cracks/patches as you can imagine.
www.zabkat.com/blog/27Jun10-openssl-keygen.htm


#5

Used Armadillo in the past until it became abandoned. Now using own activation system - took a week to implement and a month to fix/tweak things here and there. It’s absolutely worth the effort as the essential part of the business is now completely under control. Off the shelf solutions are good for new businesses, but if you have resources to build your own, I suggest doing it.


#6

And yet, at the end you say…:

Isn’t this magic? With a mere 100 lines of code you have yourself the bare essentials of a potentially uncrackable software key scheme!

You even bolded the word uncrackable. I get what you were trying to accomplish; you’re attempting to stop keygens from being made. But claiming you created something uncrackable is misleading at best. Honestly, you could have used a Vigenère cipher (something trivially easy to create a keygen for) and the crackers would have still chosen the path of least resistance (cracking your app) instead of trying to understand what you used to create your keys.

It’s seems like a semantics argument, but there are too many licensing companies falsely claiming uncrackability, that I feel obligated to point out the absurdity of it every time “uncrackability” is mentioned (even when the claim is made in a personal blog about a home-grown implementation).

My point is, even if you use asymmetric cryptography to create serial number (or blobs of text that customers can pass around as if they were serial numbers) that doesn’t magically make your app uncrackable (nothing stops cracking). Nor does it prevent casual piracy (well-designed online activation does stop casual piracy).