Hacker News new | ask | show | jobs
by verdverm 622 days ago
Very few people are going to have sufficient devices to fake large numbers of accounts. Those that do are going to either (1) have other signals (2) be sophisticated enough to evade more advanced techniques

See the experiential point that it is better to keep the 80/20 rule in mind. Most users are not going to abuse the system, and those that do, do so with dozens or hundreds of accounts, not 2-3
1 comments
solardev 622 days ago
Are you talking about text messages? If so, I agree. It would get expensive to spin up a bunch of VOIP numbers.

But for the passkey/2FA stuff, it can all be implemented in software, and a script or botnet could easily generate them by the hundreds. They're not tied to a hardware signature (i.e., you don't need multiple devices or even fake virtual devices, they're just algorithms).

link
verdverm 622 days ago
See (1) for your software based solutions

These are all advanced techniques the vast majority of users are not going to use to fake multiple accounts. Most users will never make multiple accounts to access a free tier. Abusers are far and few between and typically generate multiple signals. I've seen this in production systems and there are ways to deal with it.

80/20 rule my friend

link
solardev 622 days ago
On one hand, that's a fair point (absolutely agreed on the 80/20 stuff). But on the other hand, if some of your accounts are distinct humans and the others are bots... how do you (as the website operator) tell which is which?

I guess I assumed that if you wanted only "distinct human accounts", you would also want to exclude bot-generated ones, but maybe not.

link
verdverm 622 days ago
usually when an OP is asking about 1-1 accounts, it's more of a free vs paid thing and they care less if the account is using automation (bots) than abusing free offerings. This is certainly viewed as more important with the AI hype cycle, and it costing more to run while also almost requiring a free tier

In my experience, it's not worth worrying about until you have users, and if you have this problem, it's a good sign and you'll have the resources to better deal with it by then

link
solardev 622 days ago
Ah, I see, that makes sense!
link
verdverm 622 days ago
yea, this is how I'm interpreting OP's post, they would need to add more context to get better answers
link