Ask HN: How do you verify the identity of your users?
I am working on a website that runs contests. We need to confirm that users map to real people to avoid cheating on contests. Obviously email confirmation is a way, but easily scammed.
Twitter or FB login are possible, and I could even see when the account was created to ensure that they didn't just make it to scam my site's registration, but I am worried about scaring users away with it.
What do you recommend? Note that you don't really need to confirm everyone who participates, only people who win. You should make it clear that should someone win you will go full forensic on them. Providing you've saved enough data you can go back and correlate their activity with similar activity to see if cheating appears to happened. You can do investigation with humans which makes attacks harder, and also scales (you only need to investigate the limited number of winners rather than all participants). As 0xEA mentioned you can go network effect on them too. For example you can require that winners had Facebooked/Tweeted something at the time of their entry. When someone wins you can go back an check that which means that someone cheating would have to do so with lots of dummy accounts. And of course the messages form advertising for your contests. You can also make them nominate FB/Twitter friends to share their prizes should they win at entry time. Again this makes life a lot harder to cheat as it gives your win investigations more to work with. If you have a working solution to that problem, stop working on contests and proceed directly to IPO. Make them upload a picture of themselves next to today's newspaper, where today's date is legible, and you need to be able to verify the paper is legit. That would be possible but not easy at all to fake. The second best way is credit card, and use a third-party service that doesn't require you to store any cc info locally. Unfortunately, people have more than one cc, more than one email, and you can't ask for ssn, but even if you could, that isn't guaranteed to be unique: http://ssa-custhelp.ssa.gov/app/answers/detail/a_id/79/~/req... DNA is unique, but that is too expensive and can be faked unless checked immediately, and depending on type of test, can be faked even in person if blood not taken (difficult to fake otherwise), and can't do online. Vocal recognition for determining whether a user is unique and for relogin later can be faked online easily. Visual recognition online may be decent way to do it, but probably too expensive, and could be faked by someone holding up someone else's picture, or a video of someone from YouTube (although could check for artifacts indicating is from video source). Retinal scan can be faked. Gait + body/facial recognition isn't too bad, but you can't do that online. That is what the government uses with street cameras in cities, etc. You don't have to do a newspaper. Generate a one-time, expiring string, like "Q8uZ3" -- they have to write it on a card and take a picture of their face with the card underneath. They have 30 minutes before it expires. A credit card number would be hard to fake. A scanned pic of govt id that matches a name would work too. If high schoolers have access to scannable fake IDs, then I'm not sure a scanned pic of an ID is really suitably difficult to fake. I agree that CC numbers is probably a good way forward as long as your users trust your site enough to provide that information. Are CC numbers easier to "name check" than SSNs? High schoolers also have a larger net gain to faking their ID (years more drinking and partying), as opposed to winning a competition online. But I guess it depends on the competition (eg. a digital camera vs. a car would provide different levels of motivation to cheat) You could use the PGP endorsement model. Network effects should work out decently. How about an SMS verification code sent to the user's mobile phone? Mobile phones are $30 at your nearest bodega. Meaning that multiple entries are very cost-prohibitive. If you want to enter 100 times with Facebook, you can buy 100 Facebook accounts for much cheaper than the $30 * 100 mobile phone cost. In that case, you can just get a VOIP number for 8 cents or whatever. It might be possible to prevent this. Craigslist somehow detects when you use a Twilio number.