Account verification: Only 1 account per person

Question

In my community, every user should only have one account.

So I need a solution to verify that the specific account is the only one the user owns. For the time being, I use email verification. But I don't really need the users' email adresses. I just try to prevent multiple accounts per person.

But this doesn't work, of course. People create temporary email addresses or they own several addresses, anyway. So they register using different email addresses and so they get more than one account - which is not allowed.

So I need a better solution than the (easy to circumvent) email verification. By the way, I do not want to use OpenID, Facebook Connect etc.

The requirements:

• verification method must be accessible for all users
• there should be no costs for the user (at least 1$)
• the verification has to be safe (safer than the email approach)
• the user should not be demanded to expose too much private details
• ...

Do you have ideas for good approaches? Thank you very much in advance!

Additional information:

My community is a browser game, namely a soccer manager game. The thing which makes multiple accounts attractive is that users can trade their players. So if you have two accounts, you can buy weak players for excessive prices which no "real" buyer would pay. So your "first account" gets huge amounts of money while the "second account" becomes poor. But you don't have to care: Just create another account to make the first one richer.

Answer 1

You should ask for something more unique than an email. But there is no way to be absolutly sure a player don't own two account.

The IP solution is not a solution, as people playing from a compagny/school/3G will have the same IP. Also, Changing IP is easy (reset the router, proxy, use your 3G vs wifi)

Some web site (job-offer, ...) ask you for an official ID number (ID, passport, social security, driver licence, visa (without the security number, so peolple will feel safe that you won't charge them), ...)

This solution got a few draw back:

• minor don't always have an ID / visa
• pepole don't like to give away this kind of info. (in fact, depending where you live: in spain for example, it is very common to ask for ID number)
• people own more than one visa.
• it is possible to generate valide ID/visa number.

Alternative way:

ask for a fee of 1$

• to be allow to trade more than X players / spend more than X money.
• people that pay the fee got some advantage : less ads, extra players, ...
• paying a fee, will limitate creation of multiple account.
• fee can be payed using taxed phone number (some compagny provide international system)
• the payment medium could be use as an ID (visa number)

put some restriction in new account (like SO).

• eg: "you have to play at least 1 hour before trading a player"
• eg: "you have to play at least 3 hour before trading more than 3 players"

Use logic to detect multiple account

• use cookie to detect multiple account
• check last connection time of both player before a transaction. (if player A logout 1 minute before player B login : somethings is going on)

My recommandation :

Use a mix of all thoses methode, but keep the user experience fluide without "form to fill now to continue"

Answer 2

Very interesting question! The basic problem here is multi-part -

1. Opening an account is trivial (because creating new email IDs is trivial).
2. But the effect of opening an account in the game is NOT trivial. Opening a new account basically gives you a certain sum of money with which to buy players.
3. Transferring money to another account is trivial (by trading players).

Combining 1 & 2, you have the problem that new players have an unfair advantage (which they would not have in the real world). This is probably okay, as it drives new users to your site.

However adding 3 to the mix, you have the problem that new players are easily able to transfer their advantage to the old players. This allows old users to game the system, ruining fun for others.

The solution can be removing either 1,2,3.

1. Remove 1 - This is the part you are focusing on. As others have suggested, this is impossible to do with 100% accuracy. But there are ways that will be good enough, depending on how stringent your criterion for "good enough" is. I think the best compromise is to ask the user for their mobile phone numbers. It's effective and allows you to contact your users in one more way. Another way would be to make your service "invite only" - assuring that there is a well defined "trail" of invites that can uniquely identify users.

2. Remove 2 - No one has suggested this which is a bit surprising. Don't give new users a bunch of money just for signing up! Make them work for it, similar to raising seed capital in the real world. Does your soccer simulation have social aspects? How about only giving the users money once their "friend" count goes above a certain number (increasing the number of potential investors who will give them money)?

3. Remove 3 - Someone else has already posted the best solution for this. Adopt an SO like strategy where a new user has to play for 3 hours before they are allowed to transfer players. Or maybe add a "training" stage to your game which forces a new player to prove their worth by making enough money in a simulated environment before they are allowed to play with the real users.

Or any combination of the above! Combined with heuristics like matching IP addresses and looking for suspicious transactions, it is possible to make cheating on the game completely unviable.

Of course a final thing you need to keep in mind is that it is just a game. If someone goes to a lot of trouble just to gain a little bit of advantage in your simulation, they probably deserve to keep it. As long as everyone is having fun!