But no way. Because there is always a banal way to get around all this - the transmitter performs the login himself, after which he gives control of the computer to his partner.
Nothing will save you from voluntary "hijacking".

1. A terrible user agreement, which will say that for the voluntary transfer of your account by third parties, the record can be blocked and permanently deleted.
2. Binding to a phone number and login with SMS confirmation .
3. Make it mandatory to indicate passport data that will be available to the user in the profile (in person). The ability to update only through moderator verification. Then the user will think several times before voluntarily giving their credentials to anyone. But the project will also have to strengthen security measures, legally as well. You can check the accuracy of passport data on the FMS website .
But this will only complicate the process of working with the site. It will still be possible to perform tasks with someone else's hands, even if it has to be done in real time via Skype .

I don’t know such articles, but here are my thoughts:
1 user does not have many places from where he could go to resource N, there are about 3 of them (home / work / tablet, mobile phone). Accordingly, fix these 3 places and if the user tries to enter from another place, then prohibit entry, without protection by E-mail, phone.
Also, modern browsers support local.storage to write some unique value there and check it, if it does not match, block authorization.

You can bind a user to his machine by reading all the characteristics that can be read (browser, OS, etc.). Next, encrypt everything in a hash, and save it in the database + cookies. The disadvantage of this approach is obvious - if you try to log in from another PC, access will be denied, but this can be bypassed by allowing users to attach devices in their personal account.
PS I remember reading an article on Habré about a similar reinforced concrete method of identification, but I can’t find the case because of prescription ...

Obviously, to conduct tests in a specially designated room on your equipment with a mandatory verification of the identity of the person who takes it. take your user from the virtual space to the real world.
And you can’t protect yourself from virtual substitution, you can only complicate the process.
Let's suppose they made a super sophisticated system of checks, and your swindler's friend instead of him gives up on some kind of admin ...