I’ve tested a number of potential solutions and I’m still coming up empty.
E.g., I could do like Troy Hunt [0] and rely on Cloudflare Turnstile [1], but unfortunately, after testing it, it doesn’t cut it:
1. Cloudflare claims Turnstile is “frustration-free” for users, but my personal experience says otherwise. I dislike the experience enough that I wouldn’t want my users experiencing it either.
2. Turnstile is actually easily bypassed. I found some web scraping-related services on the internet that claim to easily and programmatically bypass Turnstile for literal pennies*, but I didn’t 100% believe them, so I tested the services. <20 minutes later, I had a script running bypassing challenge after challenge for <$1.00.
3. The hyper-centralized nature of Cloudflare is something that never sits right with me. On one hand, I have tremendous respect for the great work they do and the awesome folks who work at the company (I personally know founders whose startups would probably no longer exist had it not been for Cloudflare’s DDoS protection services). On the other hand, they frankly control too much of the internet’s traffic for my liking.
I’m starting to realize that my only option seems to be to keep the service locked down only for authenticated users (maybe via Google**).
* I’m intentionally not linking to any of those services, but they’re very easy to find via Google.
** I’m not convinced that “Sign In with Google” solves this problem either, since a committed actor can easily create many Google accounts, but at least it’s more manageable. Also, centralization (via Google) is obviously also an issue with this option.
[0]: https://news.ycombinator.com/item?id=37400018
[1]: https://www.cloudflare.com/products/turnstile
Only accept professional emails(i.e name@company.com) from a domain that is older than X days, you can find APIs to find out if a mail is from free providers. + maybe a phone number from the same country of their IPs.
"Sign in with google" is pretty useless, you can bypass that for pennies.
If you're going to require a credit card, you can probably filter them to block debit/prepaid card, or try to make a temporary charge for a few dollars before reverting it.
You can use websites like https://seon.io/ to find out if a mail/phone number looks legit, they check things like if they actually used it somewhere else etc...
How much GPUs time are you going to offer for free? The question you really want to answer, is how do I make registering a fake account more expensive that whatever someone would get from mining crypto with your GPUs.
You can and should of course should block proxys/vpn ips.
Some basic bot protection would not hurt, but it's not an actual solution.
If you don't expect a huge amount of free users at first, you could maybe check registrations manually.
Maybe ask them to sign in with linkedin and check their account legitimacy(number of relations etc...)
An actually viable solution would probably be a mix of multiple of these things, your goal is to make it expensive to register more than one account, not impossible.
Yes so is (insert any captcha service)
> I’d like to offer a “try it for free without an account or credit card”
I'd ditch this and require a credit card.
> 3. The hyper-centralized nature of Cloudflare is something that never sits right with me. On one hand, I have tremendous respect for the great work they do and the awesome folks who work at the company (I personally know founders whose startups would probably no longer exist had it not been for Cloudflare’s DDoS protection services). On the other hand, they frankly control too much of the internet’s traffic for my liking.
Then go with another provider, Cloudflare is not the only one... assuming you have money to pay with and aren't a choosing beggar
So a captcha like setup that's specific to your site, various timing based detection systems and some hidden fields would probably work better than something like Recaptcha here, assuming you never become as popular as Google or Facebook.
Just require a credit card and don't charge them. If you are worried that people won't sign up, may be thats a good thing. Do you really want someone who doesnt even want to add a card just to try ? Not for a service like this where everyone and their mother are looking for Free GPUs on the internet.
Any other approach is a massive time sink.
We're developing a product in this area and I'd love to discuss some ideas with you. Email me if interested (details in profile).