- I make websites
- If someone is banned twice (two accounts) I want it to take them more than 5min and a VPN to make a 3rd account
- I’m okay with extreme solutions, like requiring everyone to have a Yubikey-or-similar physical key
- I really hate the trend of relying on a phone number or Google capcha as a not-a-bot detection. Both have tons of problems
- but spam (automated account creation) is a real problem
What kind of auth should I use for my websites?
I do this for part of my reg forms. I split the reg process into two parts. First, supply email only. This element uses an obfuscated id. Once they do that, the link sent to their email leads to the rest of the process, using no obfuscation. This should keep from breaking password managers.
Regarding login bruteforcing. I give them 3 shots then a cooling down period.
This process has resulted in a 0% success rate for bots so far. We will see how it holds as the domain sees more traffic.
mCaptcha is a proof of work pseudo-captcha, it won’t block bots completely, but it heavily rate limits them and makes them computationally expensive to run.
If I remember correctly I saw that Proton mail (or was it Yandex translate ?) created their own reCAPTCHA, where you’d have to slide one piece outside of a puzzle into the gap of the puzzle. Neat.
Tor browser user here, btw.
Yandex one is correctly recognizing different symbols and tapping them in order. It was rather violent when it showed at any other click when I used it with adblocks and denied tracking while searching for images.