Product activation is a popular approach for securing software licenses. However, software developers need to consider all the requirements for a capable activation system, from the license models they’ll need to support to how they’ll deal with the corner-case customer environments.
The basic activation process is typically as follows. Upon purchase the software vendor sends a unique product serial number to the user. When the user installs the application they are prompted to enter their product serial number. Their application connects to the vendor’s hosted license server over the Internet to confirm that this product serial number is valid and has not already been used to activate a license. It also obtains from the license server the license limits that apply to that user’s license, such as a time limit or enabling of product features. Finally it locks the license to the user’s system by reading certain machine parameters, such as the MAC address or hard disk ID, and encrypts the license limit and locking information in a file which is saved on the user’s system. Once activated the application interrogates that local encrypted file to perform its license check, so continues working on that user’s specific machine within the defined license limits with no further communication required with the vendor’s systems.
Sounds simple enough… but here are the ten areas you need to consider as you select a product activation system.
What are the license models you wish to offer across your target markets? Are there other models Marketing might want to offer next year? Here are some possibilities:
* Time-limited licenses, for trials or subscription licensing
* Feature-enabling, to offer different price points or to package your product for different verticals e.g. a customer’s license might have Feature A to be OFF, Feature B at the Pro level, Feature C at level 5, Feature D on a 30-day trial and so on.
* Usage-based licensing. This could be metered (where the usage is tracked for subsequent reporting and billing, but not limited) or debiting (where the user purchases a usage quota which is depleted as the application is used).
* Custom licensing. Maybe you need to communicate some licensing parameters to your application, such as the Terabytes of data to address, number of communication channels to support, number of pages open at any one time and so forth.
* Some combination of the above e.g. enabling each feature with its own usage and time limit.
Not all computers have an Internet connection, so you need to consider how you will support your users who are on isolated corporate networks, or just can’t get a network connection from their laptop. The whole point of product activation is automation and convenience – you don’t want to have to set up phone support (during working hours, 24×7?, multi-lingual?) to help people without a network connection. Luckily, there are some solutions… if you pick the right system. For example:
* User self-service activation. Does the activation system provide a way for users to activate licenses on disconnected systems? A common approach is for the licensing software, when it finds it can’t connect to the hosted license, to encrypt the locking and product serial number information in a file, which the user then hand-carries to any web browser for upload to the vendor’s self-service web page. The vendor’s system accepts the file, checks it, and returns the encrypted file needed to enable the license. This file exchange can also be done by email, or even snail mail.
* Proxy server support. In many sectors such finance, mil/aero and government, users’ systems don’t have a direct connection to the Internet but can access it via an HTTP proxy server. Can your applications access your hosted license server via an existing HTTP proxy server?
* Install your own proxy server. If there isn’t a suitable HTTP proxy server available, does the activation solution include its own proxy server for installation on the customer’s network?
The idea is to protect your applications from hacking and ‘honest abuse’ (over-subscription by legitimate customers), so you need robust security. Here are some questions to consider:
* If you issue time-limited licenses for trials or subscriptions, is there protection against users who try to extend their license by turning back their system clock?
* Is there protection against users who try to hack or spoof the licensing library built into your application?
* Is the communication between the licensed application and the license server secure against man-in-the-middle attacks, replay attacks, and counterfeit attacks?
* If you are tracking license limit data locally for each user, are these records secure against hacking and rollback to prior versions?
* Can no-one else set up a license server and issue licenses for your product?
The general approach to preventing a license from simply being copied onto another system is to lock each license to your desired parameters of the target system, such as the MAC address, host ID, hard disk ID and so on.
So far so good, but here are some node-locking questions to ask:
* Is the node-locking mechanism flexible and extensible, so you can lock to the parameters you wish?
* Does the node-locking mechanism follow generally-accepted computer science principles, and not do such tricks as bypassing the operating system, with all its unforeseeable consequences (such as breaking just because the user installed a boot manager, or upgraded their operating system)?
* Can you secure licenses on virtualized systems (e.g. VMWare), where the hardware parameters can legitimately change for a licensed user? How about supporting users who run Windows on a Mac?
* If you want, can the node-locking mechanism provide resiliency against small changes, so not inconveniencing users who make a minor system upgrade?
* Can you specify a set of locking parameters, with the license working if any one of them is matched? For example, perhaps your user wants to be able to run their license in one of any four machines – can you accommodate this?
* If some users really prefer dongle-based licensing, can you lock to a dongle as well?
* If you sell a system with your own custom hardware in it, can you lock the license to, say, the serial number in your custom hardware?
* How do you deal with the inevitable ‘My machine crashed – how do I restore my license?’ user inquiry?
The fact of life is that users often want to move their license to a different system, months or maybe years after it is first activated. This appears straightforward, but there are some issues to consider:
* Maybe you don’t want to offer this facility to everyone. Can you control which users are allowed to relocate their licenses?
* For users who are allowed to relocate their license, can you control how often they can do so? You may not want them doing so every day (that sounds like they’re sharing the license with others).
* Is there are any intervention required on your part during a license relocation, or does the product activation system take care of it? Is it secure?
* Can licenses be deactivated on disconnected systems?
* Your application may well have some settings your users adjust as they work with it, so your application runs exactly as they like it. Do they have to set these up again on the new installation (that would be annoying), or can you transfer them automatically?
* Does the product activation system track license relocations, so you know what your users are doing? Could it alert you when a relocation is done?
Maybe you don’t fully trust your customers, or perhaps you sell your product on credit, or on a monthly subscription, so might need to revoke a user’s license if they didn’t pay up or re-subscribe.
* Can your activation system revoke a user’s license?
Perhaps you sell via resellers or OEMs now, or plan to do so. Maybe your sales department is looking for resellers overseas, or has it in their strategic plan? In that case, you’d better be ready to deal with the basic issue: how do you delegate order fulfillment (if desired) to your reseller, while still keeping track of the licenses they issue?
* Can your activation system allow resellers to issue licenses?
* If it does, can you restrict the range of licenses they can issue? For example, can you prevent them enabling certain features that aren’t part of their agreement with you, can you limit the number of licenses they issue, or set a maximum time limit on the licenses they issue?
* Can you generate a report on the licenses they’ve issued? Can they?
* Can you receive an alert when they issue a license?
While you may think that all your customers’ needs will be met with a product activation approach, what if that isn’t the case? Perhaps some users will not want any information to go out of their organization at all (often the case with some government and financial institutions).
* Can your activation system also support, say, dongle-based or floating licensing over your customers internal network, with no outside communication required at all?
* If you do need to support floating licensing or dongle-based licensing, does engineering have to re-do the licensing integration, or does the existing licensing system they integrated for product activation support it without needing any modification or replacement?
Of course you need to protect your application on all the computer platforms you support.
* Does the activation system provide a client library for all your current platforms?
* How about platforms in your product roadmap?
* How about 64-bit platforms?
* What if a major customer requires support for a non-standard platform – can you readily obtain it?
* If your application is in Java, and you take advantage of Java’s platform independence, is the licensing library actually multi-platform, or are you introducing platform dependency?
Back-office integration and infrastructure
If your business involves a large number of licenses, or you expect it to, you may want to automate license fulfillment.
* Can you automate fulfillment from your back-office/CRM system, say via Web Services?
* Can you automate management tasks, such as backup, archival and reporting for the licensing system?
* Maybe you don’t want to host the license server at all. Is there a 3rd-party managed service available?
Clearly not all of these questions will apply to all software vendors, however they hopefully provide food for thought, and suggest areas you should consider to ensure your product activation deployment is successful.