[solardev]

Are you talking about text messages? If so, I agree. It would get expensive to spin up a bunch of VOIP numbers.

But for the passkey/2FA stuff, it can all be implemented in software, and a script or botnet could easily generate them by the hundreds. They're not tied to a hardware signature (i.e., you don't need multiple devices or even fake virtual devices, they're just algorithms).

[verdverm]

See (1) for your software based solutions

These are all advanced techniques the vast majority of users are not going to use to fake multiple accounts. Most users will never make multiple accounts to access a free tier. Abusers are far and few between and typically generate multiple signals. I've seen this in production systems and there are ways to deal with it.

80/20 rule my friend

[solardev]

On one hand, that's a fair point (absolutely agreed on the 80/20 stuff). But on the other hand, if some of your accounts are distinct humans and the others are bots... how do you (as the website operator) tell which is which?

I guess I assumed that if you wanted only "distinct human accounts", you would also want to exclude bot-generated ones, but maybe not.

[verdverm]

usually when an OP is asking about 1-1 accounts, it's more of a free vs paid thing and they care less if the account is using automation (bots) than abusing free offerings. This is certainly viewed as more important with the AI hype cycle, and it costing more to run while also almost requiring a free tier

In my experience, it's not worth worrying about until you have users, and if you have this problem, it's a good sign and you'll have the resources to better deal with it by then

[solardev]

Ah, I see, that makes sense!

[verdverm]

yea, this is how I'm interpreting OP's post, they would need to add more context to get better answers