This would work @User . But a better flow might be to tell the user to logout of all their devices and then try to login again. This way, they are given an opportunity to decide is they want to actually login again. Plus in the way you described, the other sessions would still be active until they have to be refreshed. If however, the users logout themselves from the other devices, then you have truly enforce what you are looking for. If you would want to continue with your method, there is a race condition in which someone can consume two codes at the same time and then (with very low probability), get logged into both devices. So you also want to check the number of sessions after calling the original implementation, and if it's more than one, then perhaps revoke both. This would lead to the user getting logged out of all their devices eventually, but it's super low probability anyway.. they can login again.