- I make websites
- If someone is banned twice (two accounts) I want it to take them more than 5min and a VPN to make a 3rd account
- I’m okay with extreme solutions, like requiring everyone to have a Yubikey-or-similar physical key
- I really hate the trend of relying on a phone number or Google capcha as a not-a-bot detection. Both have tons of problems
- but spam (automated account creation) is a real problem
What kind of auth should I use for my websites?
Just some mild hoops to jump through will prevent spam. On my email service, Port87, I use a waitlist. I don’t use it specifically to prevent spam, but it does do that very well. Then you email invite codes to the people who join the waitlist for them to create an actual account. If you start seeing spam entries in the waitlist, just delete them.
I mean, manual approval technically does work. I kinda wanted something that would scale.