After your software is activated on a customer's computer, it is very common for you, as a publisher, to want to maintain some level of control over this license. Whether you want the ability to revoke a customer's license who let a subscription expire (or otherwise has failed to pay), or you want to allow customers to securely transfer a license from one computer to another, the one thing that you must do to protect yourself (especially when your software is running in an environment that you do not trust) is periodically validate each computer's license.
Presumably, as in the case with the SoftwareKey System, the software was activated on each computer with some type of serial number or License ID, and each time this is done, a unique identifier associated with this specific PC's instance of the license is also established. I will call this second unique identifier an "Installation ID." Periodically validating the Installation ID with a central licensing authority is the secret behind the control.
"There is very little control that can be enforced without some type of license validation process."
Customer's Software Environment Creates Challenges for License Validation
When deciding on rules for entitlement validation business logic, a software publisher must consider that licensed software can be run from many different places, such as:
- Highly-available servers with guaranteed full-time internet access.
- Computers or devices with non-guaranteed full-time internet access.
- Traveling notebooks that disconnect from the internet for a week or two at a time.
- Hardware appliances or devices that run with infrequent attention from a human.
- Completely disconnected computers running on a factory floor that control business critical processes that may or may not have internet access on a nearby computer.
- Completely isolated, high-security networks (an "extranet") where not even thumb drives are allowed to be used to transfer data on or off site, such as a military network.
It can be challenging for a software publisher to figure out the best balance of license validation rules for each of the environments listed above. Here's a method we've found that works well.
Three Step Escalation for License Validation
One quick way to handle the last two (usually the most difficult) scenarios in the list above is to create Different Policies for Different Customers, based upon the level of trust with your customer as well as the overall cost of their software licenses. For example, we often hear that people generally trust government agencies who would fall under #6 above.
The easiest way to address the top four working environments mentioned above is to create a three step validation interval with escalating urgency in messaging:
- Fail Silent - During this initial validation period, your software can periodically reach out to the central license server to validate this computer's installation of the license. If a successful validation cannot take place because internet access is not currently available or the license server is otherwise unreachable, the software validation will fail silently - meaning that the user will not even know that a validation problem has occurred. The software can retry the validation process periodically or upon subsequent application execution.
- Warning - When the software is unable to validate the license during the entire length of the Fail Silent period, it can begin to warn the user that the license will need to be validated within the warning period or risk the license being disabled.
- Forced/Required - Assuming that the user has been warned about the requirement to connect to the internet to validate the license, once in the Forced Validation period, the software will not run until the software license is validated. If the software application is not run regularly, it may be important for the software publisher to track if the user ever saw the warning message or at least was given sufficient time before being "locked out." Otherwise, the customer could understandably become alarmed.
For example, a software publisher may begin validating a license 7 days after it was last validated. It can fail silently for 14 days when it can then begin to warn the user for 7 days before finally locking the software license. If at any point during the process, the license is successfully validated, the timer resets and the process starts over from the beginning.
"If at any point during the process, the license is successfully validated with the server, the timer resets and the process starts over from the beginning with the Fail Silent period.
IMPORTANT: Be Careful of Over-Validation
Although it may be tempting to set up your software to perform Fail Silent validation requests on every execution or throughout multiple actions inside of your software, failure to adequately cache your license status and appropriately validate your software license can have an adverse effect on the overall responsiveness of your central licensing server, affecting all of your customers.
Each software publisher and customer may have different business goals and requirements for using your licensed software. Building a three-step validation interval provides a good framework for protecting your software while keeping your customer informed about license validation requirements. Please feel free to contact us if you would like assistance determining the best license validation interval policies for your company's software.