For you, I’ve thought of a solution that might work and that can be fairly safe and not generate too much work for either you and the user. It is similar to the current solution as I’m building.
Let’s say, you will limit the users access to at most 10 MAC addresses for a 30 day period. That should cover most users need, on different devices and in different situations.
Save each MAC address with the userID, when log in to the service.
When a MAC address is not used for more than 30 days, then DELETE this post.
Then it happens, every now and then, one user has a software generated MAC address generator that will generate a unique MAC address each time the user connect to your service. Then, there will be maybe 10 MAC’s a day! (Or so, very much.)
If so, then you can either exclude this user from the common path and let this specific user have unlimited access to your service. You can also automate this process with a confirm email send to this user each month. To verify the user.
OK. ?? You are with!?
Out of the hacker-persepctive, an evil person will need to aim at this specific user, to be one of the many MAC’s in the log. It will work. But then, after 30 days, each month, a new serial key will be needed and then the evil user will no longer be able to use the service.
Of-course, such system will not eliminate the free users to nothing, but it will make it much more difficult.
Let’s say, one person is sharing the secret key, each month, with his friend. How long time do you think this person will bother to send the new key to his not paying friend…? Maybe one or two times!? I would say, it’s work the effort, from your side. It’s not that bad…!
When it comes to IP’s me myself would avoid using it in today’s era of free internet access. I can imagine a company with different IP’s all over. One floor, one office, one IP, second floor or building, second office and a second IP. Then, in the cafeteria… a third IP and so on! The same or different IP each time. For you, to depend on such solution would … be demanding!
But really, to combine these two ideas would also limit the work for you and the user.
Let’s say one user has dynamic MAC addresses, but at the same time always connect from only two or three IP’s. Home and office.
So… if the dynamic MAC is generated from the same IP or IP range, then it’s also not a problem.
So… a combination of these things will work! Just remember, the work for all of this, both for you and the client must remain at absolutely minimum. There are computers … and they do all the boring work with no complain!
All is different – nothing is wrong!
EDIT
Feel free to edit all the numbers as I write. 30 days may be 20 days… 10 MAC’s may be 20 or 5. I open the door to free thinking! You do the tuning, to suit your needs in your specific situation, with your users!