Ask HN: Is there a way to ensure one-person-one-account at all?
Without relying on any document issues from government, without excluding disabled person, and without requiring the admin to personally know each users.
Using credit card doesn't tell if two accounts are created by distinct person. And it exluced person without credit card.
There are some (incomplete) approach to check if the user is a person or a bot, but not if the users are distinct person as of my knowledge. The way I've seen this done is usually to outsource it to some third party like https://network.id.me/platform/identity-verification/ that does the verification by proxy, handles all the compliance and privacy stuff, and then tells the website operator "this user is verified as a _______". I don't think your documents get shared with the website directly, just your verification status, but I'm not 100% sure about that. And I think the verification process mixes and matches ID checks, employment records, credit records, text messages, etc., kinda like how a bank asks you "Which of these streets, if any, did you ever live on?". There are different questions for different kinds of verifications. The very first part of the post reads > Without relying on any document issues from government This does not seem to fit their criteria for a solution I mentioned it in just in case it makes a difference that someone else handles the verification. Like PCI (for credit card processing), outsourcing it removes a lot of the cost and risk of doing it yourself and processing/storing all that sensitive PII. At the end of the day, I don't think there's any non-governmental, non-biometric, non-financial way to really cross-check physical and online identities. It's gotta be tied into the real world somehow, and outsourcing it makes a lot more doable... But yeah, if they don't want the user to have to provide documents at all, I think they're just SOL. even with the systems you describe, there is no perfect system there are governments out there that will happily make/accept fake identities to beat these systems it's a tradeoff and we don't know the details of OP's project, but I suspect they are worrying about free tier abusers (as this is the most typical reason this question is asked on HN) Not AFAIK and with websites that make AI easier and easier it will be exceedingly more difficult to enforce such things. I think the site and it's services or products would have to be designed to incentivize one-person to one-account meaning that having more accounts would be a loss of benefits and just adding friction, effort and wasted time. Or conversely staying on one account and making more purchases and more customer reviews from that account means more discounts and benefits, maybe even some type of automated voting influence over what products and/or services get discounts that week meaning the site favors the real accounts that use the site the most. You'd require a secure biological hash like the stuff worldcoin is doing (iris biometrics). Otherwise I don't see how this doesn't end in a detection-circumvention arms race. I'm curious about how that stuff works. What prevents someone from faking one of those scanner devices and generating fake hashes of nonexistent eyes? Or producing fake eyes for scanning? The airport pay-to-skip-lines company (can't remember their name) uses a similar iris scanner setup to check people in, but presumably there they have tight controls over their devices and have human employees always standing by to try to limit abuse. It'd be pretty suspicious if you walked in with a fake eyeball or such there. But anyone can buy a Worldcoin orb, right? Is it going to be like the console DRM wars, where once someone manages to root or extract a private key from such from a device, they can use it to make fake identities? Yeah, the initial enrollment is pretty problematic without trusted attestation. Reading the wikipedia entry on this, it seems at least the older devices can be fooled into accepting non-live-tissue scans (dunno the SOTA on this) which would enable fake enrollments but also impersonation. Impersonation could be mitigated with MFA at least. Dealing with compromised scanners would probably require a PKI and revocation mechanism, but don't take my word on this. Seems kinda like a tough problem when you really mean to follow through, especially when making the least amount of concessions. It'd probably be easiest to integrate with existing government systems like eID, but that's region-specific and who knows how trustworthy that is long-term. I guess, there's also these sorta weird identification services that banks use (hold ID card and face into the video feed and variants), but same problem. As for conceiving such a system in the first place, good luck ;) If you can tie login to a person's phone (passkey, google authenticator, text message, etc) than you can raise the bar. Most abuse is by a very small number of people who will not make it difficult to detect (like cycling through accounts during batch processing, many accounts from the same ip). Logs will be your friend and you really only care about the worst offenders, the rest won't be worth the time, effort, false positives Passkeys and 2FAs aren't device-dependent (many apps let you sync them across devices, like Bitwarden or 1password). Text messages are a little harder to fake/share, I suppose, but also more expensive to verify. Very few people are going to have sufficient devices to fake large numbers of accounts. Those that do are going to either (1) have other signals (2) be sophisticated enough to evade more advanced techniques See the experiential point that it is better to keep the 80/20 rule in mind. Most users are not going to abuse the system, and those that do, do so with dozens or hundreds of accounts, not 2-3 Are you talking about text messages? If so, I agree. It would get expensive to spin up a bunch of VOIP numbers. But for the passkey/2FA stuff, it can all be implemented in software, and a script or botnet could easily generate them by the hundreds. They're not tied to a hardware signature (i.e., you don't need multiple devices or even fake virtual devices, they're just algorithms). See (1) for your software based solutions These are all advanced techniques the vast majority of users are not going to use to fake multiple accounts. Most users will never make multiple accounts to access a free tier. Abusers are far and few between and typically generate multiple signals. I've seen this in production systems and there are ways to deal with it. 80/20 rule my friend On one hand, that's a fair point (absolutely agreed on the 80/20 stuff). But on the other hand, if some of your accounts are distinct humans and the others are bots... how do you (as the website operator) tell which is which? I guess I assumed that if you wanted only "distinct human accounts", you would also want to exclude bot-generated ones, but maybe not. usually when an OP is asking about 1-1 accounts, it's more of a free vs paid thing and they care less if the account is using automation (bots) than abusing free offerings. This is certainly viewed as more important with the AI hype cycle, and it costing more to run while also almost requiring a free tier In my experience, it's not worth worrying about until you have users, and if you have this problem, it's a good sign and you'll have the resources to better deal with it by then Ah, I see, that makes sense! yea, this is how I'm interpreting OP's post, they would need to add more context to get better answers I don't know in the absolute, but I've never seen a way to do this and can't think of a mechanism that would work. One thing to think about is the way experience has shown that the internet itself was much more ideal when most users were still anonymous and it didn't make a big difference if anyone had more than one "screen name" or not. Indeed so. I've never stopped using pseudonyms on the internet. I have a few of them I've used consistently for decades. I think the important thing in internet identity is continuity of the identity, not whether or not it corresponds with real-world identity. I have never used my real-world identity on the internet, and won't start now. I think it's a bit nuts that people are willing to, but to each their own. Nope. Almost everybody has more than one device (laptop, phone, and maybe a tablet) with more than one IP (both home wifi and phone data). Everyone has multiple email addresses. You could get by with requiring a unique phone number, but that still risks excluding users, and can get expensive if you intend on catering to an international audience. Even in that case, some people may have a landline and a cell phone, or they may use a friend/spouse/relative’s phone to circumvent your limits. > You could get by with requiring a unique phone number In the US, anyway, you can also get burner phones for about $10 at local stores. I do this routinely if someone is requiring a phone number to register for something that I really want to register for. As someone who hasn't been motivated in the past, how disconnected from other means of identification is such a burner phone? Are the cameras watching the purchase? Can you pay cash? Is any record beyond a sales receipt generated? It's no more or less disconnected than any other store purchase. You can assume there are cameras in any store. You can indeed pay cash. The only records generated are the usual sales records, and if you're concerned about minimizing those, then you use the same mitigations that you'd use with any other purchase. Personally, I'm not concerned with that level of anonymity, though. I just don't want to give my actual phone number to random companies.