[verdverm]

If you can tie login to a person's phone (passkey, google authenticator, text message, etc) than you can raise the bar. Most abuse is by a very small number of people who will not make it difficult to detect (like cycling through accounts during batch processing, many accounts from the same ip). Logs will be your friend and you really only care about the worst offenders, the rest won't be worth the time, effort, false positives

[solardev]

Passkeys and 2FAs aren't device-dependent (many apps let you sync them across devices, like Bitwarden or 1password).

Text messages are a little harder to fake/share, I suppose, but also more expensive to verify.

[verdverm]

Very few people are going to have sufficient devices to fake large numbers of accounts. Those that do are going to either (1) have other signals (2) be sophisticated enough to evade more advanced techniques

See the experiential point that it is better to keep the 80/20 rule in mind. Most users are not going to abuse the system, and those that do, do so with dozens or hundreds of accounts, not 2-3

[solardev]

Are you talking about text messages? If so, I agree. It would get expensive to spin up a bunch of VOIP numbers.

But for the passkey/2FA stuff, it can all be implemented in software, and a script or botnet could easily generate them by the hundreds. They're not tied to a hardware signature (i.e., you don't need multiple devices or even fake virtual devices, they're just algorithms).

[verdverm]

See (1) for your software based solutions

These are all advanced techniques the vast majority of users are not going to use to fake multiple accounts. Most users will never make multiple accounts to access a free tier. Abusers are far and few between and typically generate multiple signals. I've seen this in production systems and there are ways to deal with it.

80/20 rule my friend

[solardev]

On one hand, that's a fair point (absolutely agreed on the 80/20 stuff). But on the other hand, if some of your accounts are distinct humans and the others are bots... how do you (as the website operator) tell which is which?

I guess I assumed that if you wanted only "distinct human accounts", you would also want to exclude bot-generated ones, but maybe not.

[verdverm]

usually when an OP is asking about 1-1 accounts, it's more of a free vs paid thing and they care less if the account is using automation (bots) than abusing free offerings. This is certainly viewed as more important with the AI hype cycle, and it costing more to run while also almost requiring a free tier

In my experience, it's not worth worrying about until you have users, and if you have this problem, it's a good sign and you'll have the resources to better deal with it by then