As you already know this using the device's UUID isn't allowed, however, you can generate your own UUID and store it on the devices' UserDefaults.

using the identifierForVendor isn't 100% reliable, as it only works on iOS6 and above, and users have the ability to opt-out of giving it to you, which makes it a bad choice.

Here's some code I copied of the internets sometime ago and still use it till today, will try to find the source and update my answer in a bit. EDIT: Source

This will generate and store a UUID for you in UserDefaults:

- (NSString *)createUUID
{
  CFUUIDRef theUUID = CFUUIDCreate(NULL);
  CFStringRef string = CFUUIDCreateString(NULL, theUUID);
  CFRelease(theUUID);
  [[NSUserDefaults standardUserDefaults] setObject:(__bridge NSString *)string forKey:@"UUID"];
  [[NSUSerDefaults standardUserDefaults] synchronize];
  return (__bridge NSString *)string;
}

And whenever you need to read the generated UUID:

- (NSString*)UUID
{
    return [[NSUserDefaults standardUserDefaults] ObjectForKey:@"UUID"];
}

Now you have the choice to append your own user's ID to that too so you'll be able to know what UUID is linked to which user..

This is just a rough sketch of how it should work

First of all, Apple developer guidelines prohibit/ discourage use of IDFA for tracking the user for the purpose of displaying targeted advertisements (and a few other things). The guidelines clearly allow the developer to use the IDFA for identifying the device for security purposes. Quoting the apple guidelines

advertisingTrackingEnabled

A Boolean value that indicates whether the user has limited ad tracking. (read-only)

@property(nonatomic, readonly, getter=isAdvertisingTrackingEnabled) BOOL advertisingTrackingEnabled

Discussion

Check the value of this property before performing any advertising tracking. If the value is NO, use the advertising identifier only for the following purposes: frequency capping, conversion events, estimating the number of unique users, security and fraud detection, and debugging.

You can use IDFA of the device for the purpose of multiple device logins. The flow would be somewhat like this:

1. User logs in to the server using device A, Server sends back a token which is stored on the device in NSUserDefaults. The app also stores the IDFA on the device in NSUserDefaults

2. This token will be used for creating an encrypted string which would contain the IDFA. (encrypt the IDFA using the token) The encrypted value would be passed to the server in each request along with the original IDFA.

3. The server would then use the IDFA and the token associated with it (the server would of course be storing the IDFA's corresponding to each token) to get the encrypted value of the IDFA and match it with the encrypted value received in the request. The purpose of doing this is to ensure that no one can hack into your server as the token would not be visible to anyone but the app (You can even store the token in an encrypted format so as to increase the level of security).

4. Whenever a request is sent to the server, the value of IDFA stored on the device in NSUserDefaults would be compared with the current IDFA.

5. In case there is a mismatch, the current IDFA would be first updated to the server and then after getting the confirmation of successful update the app would replace the IDFA stored on the device in NSUserDefaults with the current one (and business then runs as usual).

Alternatively you can avoid step 3,4 and storing IDFA on the device in NSUserDefaults but in that can the user would have to re-login on to the server on resetting the IDFA.

Just confirming ,the mapping of token to IDFA would be many to one.

Hope this helps, comment in case anything not clear/ not satisfying the use case.

you should use the standard ways of creating a UUID. Apple does not want you tracking devices.

 To create a unique identifier specific to your app, you can call the CFUUIDCreate function to
 create a UUID, and write it to the defaults database using the NSUserDefaults class. (Source)

If you want to use a library for this instead of rolling your own, you should use this excellent library like this :

CFUUIDRef uuidRef = CFUUIDCreate(kCFAllocatorDefault);
NSString *uuidString = (NSString *)CFUUIDCreateString(NULL,uuidRef);
CFRelease(uuidRef);