5

I'm building a site that needs to guarantee user reputation scores are accurate by preventing users from creating more than one account, at the cost of decreased user signups. So far, the only solutions I have thought of are allowing users to:

  • Link to their (verified) PayPal account through PayPal Account Authentication
  • Provide their PGP public key, and checking that the MSD (a metric of trustworthiness) is below a certain value

Of course, even these methods aren't bulletproof, but are likely to make creating a sock-puppet account very difficult. Are there any others I haven't considered?

Alek Storm
  • 151
  • 1
  • 3
  • 12
    How about offering a service that encourages people to use one single account by rewarding loyalty and honesty? – Kerrek SB Oct 19 '11 at 12:43
  • how about using as uniqueness indicator email address assigned to each account? – Dimi Takis Oct 19 '11 at 12:45
  • 10
    You can never be 100% sure. If your site is of high value to the users, they can trade registered accounts. If it's of low value, people would be not willing to put so much effort into proving their uniqueness, so they just wouldn't register. After all, the site is for the users, not vice versa. – Vlad Oct 19 '11 at 12:57
  • 1
    What are you giving away that is so valuable? I want to sign up. – JeffO Oct 19 '11 at 14:10
  • http://webmasters.stackexchange.com/ might be a better site for this. – Cyclops Oct 19 '11 at 14:31
  • @Cyclops - I thought the migration to here was appropriate as it's more a design issue rather than an implementation issue. – ChrisF Oct 19 '11 at 14:33
  • 8
    Charge $1,000 per account. That'll either keep people from making more than one account (and probably any account...), or make you very rich. It's win win! – thedaian Oct 19 '11 at 15:29
  • @ChrisF, you're probably right, I was on the border about suggesting the other site. It isn't that the question is *wrong* here, just that it seemed to me, it might get better answers there. It's one of those questions that *could* fit on several sites. – Cyclops Oct 19 '11 at 15:40
  • @Cyclops - agreed. There could be a Webmasters question here - e.g. how to log IP addresses, times of visits etc. Stack Overflow if you were talking about implementation details or even Cryptography if you wanted to know more about secure connections and PGP etc. – ChrisF Oct 19 '11 at 15:42
  • 1
    Could always require a webcam and use facial recognition. – SoylentGray Oct 19 '11 at 16:35

6 Answers6

31

You can't Prevent it, you have to provide incentives against it.

You problem is that your system has a built in incentive to create multiple accounts. Remove that incentive or give a better one for sticking with one account.

Morons
  • 14,674
  • 4
  • 37
  • 73
12

I'd be very wary about requiring users to use their PayPal account. This would imply that you were going to be taking money from users at some point. This would put even more off.

The best solution is probably the simplest. Do what Stack Exchange does. Allow the user to sign up with OpenID (or even just e-mail and password) and then track the IP addresses the user logs in from and who the user gives reputation to and who they get it from. There are probably other things you can track such as the time of day they usually log in etc.

Then have tools for your site moderators (you'll need moderators) to show users that share IP addresses and have interacted with each other a little too much (for example). Depending on what you track you can show different data.

Obviously one drawback with the IP address is that it's not unique. People at the same workplace will share one as will people using the site from internet cafes or libraries.

Now on Stack Exchange where the post is more important that the person colleagues shouldn't be voting for each other more than they would for any random person on the site. However, if on your site the person is more important then the reverse could well be true.

What ever system you implement people will try to circumvent it, so this will be an ongoing process of changing sign-in rules etc.

ChrisF
  • 38,878
  • 11
  • 125
  • 168
  • True, but then corporate users will often show up with the same IP addresses, so even that isn't foolproof. –  Oct 19 '11 at 12:50
  • @ChrisBD - true - but they should not interact with each other significantly more than with any other person on the site if they are being honest in their usage. – ChrisF Oct 19 '11 at 12:53
  • @ChrisF: well, colleagues are likely to interact more than just arbitrary pair of accounts. – Vlad Oct 19 '11 at 12:54
  • 2
    @Vlad - you can have ranges of "allowed" behaviour. I suppose it depends on the focus of the site. Is it the people or the content? – ChrisF Oct 19 '11 at 13:03
5

One way a lot of websites use is adding a SMS verification code to their signup process. It delegates the uniqueness problem to some mobile phones company.

It's still not bullet proof, it will diminish your user signup numbers a lot. But rare are those who have access to multiple mobile phone numbers. It may cost you some money if you're operating in an area where SMS have to be paid by the sender.

But couple this with some IP and behavior tracking and -as mentioned by other people- incentives to having only one account and you should be set.

Arkh
  • 591
  • 3
  • 8
  • 1
    Automated IP tracking is a *not so nice* idea, you know, people today may use **MANY IPs**. Work computer, home computer, work blackberry, home iphone, gf iphone. And a couple of browsers too. And UMTS networks seems to give you a different IP each time you check in. And they get geotracked by databases, too, but they get geotracked **WRONG**. – ZJR Oct 19 '11 at 13:39
  • Cell phone tracking is kinda good, **in reality you can have 6 numbers of 3 different operators** and no one would actually mind, but it's gonna cost you some money and it's unpractical for many purposes, so it doesn't happen very often. (Work phone / home phone duality is widespread, though) Be wary, that sending SMS may present **costs** to your client. – ZJR Oct 19 '11 at 13:42
3

User reputation (assuming you have some upvote-feature like the Stack Exchange sites) will never be a truly accurate score. Even if you really make sure that no natural person can create two accounts by whatever means (I doubt that this will be possible), you still have these problems:

  • People can upvote their friends more often than other people (or gang together to downvote someone else).
  • If high reputation is really valuable for some people and sockpuppeting is a way to get it, people will sell (or lease) verified accounts for sockpuppeting.

So, don't rely on such a feature.

Paŭlo Ebermann
  • 802
  • 5
  • 11
1

Give users a range of options to verify? Combine a good "user policy" ("We won't share your information with third parties", etc) with a good behind-the-scenes "points" scheme give points for stuff like:
- Verified phone number (SMS them a code that they enter)
- Facebook
- OpenID
- Paypal
- etc

Give each option a point value (Paypal is worth more than a GMail account, for example)... and let them choose how to get enough points to become "verified". Make this information available to the "owner" of the account.

If the account changes hands, the new owner now has that personal information... if the information changes (new email address) you can increase/decrease the "verified score", make the re-verify phone numbers or whatever. Fishy activity on an account can increase the needed "verified" score.

I'd do something like this, combined with the aforementioned IP/usage tracking to try and identify bad behavior and "gamificaton" to reward good behavior.

WernerCD
  • 822
  • 6
  • 10
  • So I can create one account with my Paypal account, and another one with Facebook? (And there is no problem in creating lots of different OpenIDs for myself.) – Paŭlo Ebermann Oct 23 '11 at 00:56
1

In South Korea and the PRC they do this by requiring users register with their personal ID number (Social Security # for U.S. folks). But in these societies that number is a lot less "secret" than it is in America.

While not legally/politically/socially acceptable in every country, this is the only really good method for limiting registrations that I've ever seen.

Not really a solution for you, probably, but of interest nonetheless.

Drew
  • 1,283
  • 11
  • 17
  • This only helps if you can ensure that one does neither uses another person's number nor a random number which looks like such an ID number. – Paŭlo Ebermann Oct 23 '11 at 00:53