Most messaging apps let you log in on your phone, laptop, iDevice, and browser, with all of your messages synced. It's framed as convenience. It's also an attack surface. When I was designing my messenger, I made a deliberately unpopular call: one device per account, enforced at the server. This post is about how I implement that, why the enforcement matters more than the policy, and what the recovery story looks like when a user's device dies. Why one device? The pitch for multi-device is: "I want my chats on every screen I own." The cost: Key distribution problem. Every new device needs the session keys. Either you re-derive them from a central secret, losing per-device forward secrecy, or you distribute keys between devices, which creates an extra sync protocol to audit. Compromise blast radius. A stolen laptop with your Signal desktop logged in is a full compromise of your chat history. In a single-device model, physical access to the one device is the attack, not access to any of N devices.…