Ask HN: Track Users Without Fingerprinting
I want to be able to give users a 3 day trial period to use my product (a React + Node.js web app) without a sign-up. Seems that the best option online is fingerprint.com and I've learned the hard way that the free npm version is only 60% accurate.
My other option is to save a uuid on the browser's local storage to track the user. This wont work if the user erased their history.
I'd like to pause and ask the community - Is there a fundamentally better way to do an x-day free trial? We do signup, including captcha, email confirmation step, record IP addresses, extensive check against temporary/burner/disposable email addresses. Still 10 people per day sign up multiple times. If people want to go over the trial period they will. Literally while I was writing this I got a notification of a repeat signup and sure enough the user hit their quota and just signed up with another email address to continue. That's the reason you see websites requiring phone number or credit card verification these days. > That's the reason you see websites requiring phone number or credit card verification these days And this is trivial to overcome (depending on how eager the registrants are). The pro freeloaders have access to many different numbers and typically order SIM cards in bulk, and CC's can be spun up easily too all using different names. The real pros buy these in bulk from the dark web, so it's a non-issue for them. Passport scans and a 3D selfie that matches is the gold standard for auth now. Whatever verification data becomes standard to request, it is easy for someone to obtain and sell in bulk. All they have to do is spin up a free app and request the same. How in the world does new york times keep track of how many articles you've read before slapping the paywall? It seems to work even if you switch to private mode or use a different browser from the same machine. Browser fingerprinting, probably network fingerprinting as well. Neither require client persistence. And yet they don’t block reader view. I have reader view always on and I can read all articles on NY times for free. Wow this is a neat hack. Thanks My guess is that works because the article loads a split second before the paywall and Safari (or whatever) has cached that article for reader view. If NYT wanted to get around this they could load only that first part of the article that shows before the paywall until someone signs in with a valid subscription. I thought they do it by HTTP referrer. Paywall by default but if you came from e.g. a Google result page it's lifted. Even with sign up there are ways to get around it by creating multiple accounts, so good luck getting even close without sign up AND without fingerprinting. At the same time you might get more false positives the harder you try, e.g. IP addresses can be legitimately shared between users while the ones trying to get around your limits know how to change theirs You could do a simple email link passwordless sign in I think if you tie this to browser state it is too easy to keep renewing. Even with emails it is easy but trickier for most people unless they own a domain or use plus addresses. Is it really worth the effort to do more than email and maybe IP? It's not perfect, but nothing is, so you might as well not burn too much time/money/code on it.