Ensuring the user cannot register on system even with different email address
https://stackoverflow.com//questions/11706068
-
13-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am on creating a system, I am trying to ensure that user cannot register more than once even he uses different email-addresses or he changes its ip, so what strategies should i use ? can I do it with cookies ?
Solution
There is nothing you can do to prevent users from registering them multiple times.
User could have:
Dynamic IP
Clear cookies
Clone MAC address
Use a different email account
No sane user would purchase additional hardware like biometric authentication
User could have multiple credit cards, and addresses
The best case, if to forbid the use of multiple accounts, in the TOS/AUP, and delete/ban those accounts.
OTHER TIPS
A user trying to get around a cookie based system will just clear his cookies (or not accept them in the first place). Real life example The New York Times tried to restrict people to 20 articles a month by setting a cookie. While that stopped some people from reading more than 20 articles, many figured out they could just delete their cookies and get 20 more articles (or use a different browser).
You also can't use IP address. Sometimes users will get a new IP address frequently. Other times, a single IP address may represent many different users (if they are behind a proxy server).
The closest you can come to satisfying your requirement is to use device fingerprinting. Device Fingerprinting works by considering a wide variety of factors (the IP address, user agent, fonts installed in the browser, plugins installed in the browser, etc.). Check out
to get an idea of how it works.
There are several companies that offer that technology. Google "device fingerprinting" to get a current list. It's also not incredibly hard to roll your own basic device fingerprinting based on what you see at Panopticlick if your requirements are to get a solid idea of who might have multiple accounts, better than cookies or IP can tell you alone. The commercial offerings invested quite a bit of Engineering effort to get from "solid idea" to "very solid idea".
You need to tie the user's registration to something that can't be copied or forged. Here are some ideas:
Some companies have done this with mobile phone numbers, under the theory that most people have one phone but not two or three, or, at least, it's hard for people to trivially get a new number. So make people give you a phone number, send them an SMS message with a code, and then permanently bind that phone number to their account.
You can try using processor IDs or Ethernet addresses. You'll need to have some software that reads the ID (typically in assembly language) and gets you the results back. Of course, people can hack your software, or register from multiple machines, but this will work well in some cases.
Force people to pay for their accounts. People typically won't want to get many of them.
Give up. Design your system so that it's okay if people register multiple times.
Good luck.
