账户验证:每人仅1个账户
在我的社区中,每个用户都应该只有一个帐户。
因此我需要一种解决方案来验证特定帐户是用户拥有的唯一帐户。目前,我使用电子邮件验证。但我真的不需要用户的电子邮件地址。我只是试图防止每个人拥有多个帐户。
但这当然行不通。无论如何,人们会创建临时电子邮件地址或拥有多个地址。因此,他们使用不同的电子邮件地址进行注册,因此他们获得了多个帐户 - 这是不允许的。
所以我需要一个比(容易规避的)电子邮件验证更好的解决方案。顺便说一句,我不想使用 OpenID、Facebook Connect 等。
要求:
- 验证方法必须可供所有用户访问
- 用户不应该支付任何费用(至少 1 美元)
- 验证必须是安全的(比电子邮件方法)
- 不应要求用户暴露太多私人详细信息
- ...
您有好的方法吗?预先非常感谢您!
附加信息:
我的社区是一款浏览器游戏,即足球经理游戏。多个账户的吸引力在于用户可以交易他们的球员。因此,如果您有两个帐户,您可以以过高的价格购买实力较弱的玩家,而“真正的”买家不会支付这种价格。因此,您的“第一个帐户”获得了巨额资金,而“第二个帐户”则变得贫穷。但您不必关心:只需创建另一个帐户即可使第一个帐户变得更富有。
In my community, every user should only have one account.
So I need a solution to verify that the specific account is the only one the user owns. For the time being, I use email verification. But I don't really need the users' email adresses. I just try to prevent multiple accounts per person.
But this doesn't work, of course. People create temporary email addresses or they own several addresses, anyway. So they register using different email addresses and so they get more than one account - which is not allowed.
So I need a better solution than the (easy to circumvent) email verification. By the way, I do not want to use OpenID, Facebook Connect etc.
The requirements:
- verification method must be accessible for all users
- there should be no costs for the user (at least 1$)
- the verification has to be safe (safer than the email approach)
- the user should not be demanded to expose too much private details
- ...
Do you have ideas for good approaches? Thank you very much in advance!
Additional information:
My community is a browser game, namely a soccer manager game. The thing which makes multiple accounts attractive is that users can trade their players. So if you have two accounts, you can buy weak players for excessive prices which no "real" buyer would pay. So your "first account" gets huge amounts of money while the "second account" becomes poor. But you don't have to care: Just create another account to make the first one richer.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(13)
您应该要求提供比电子邮件更独特的东西。但是没有办法绝对确定玩家不拥有两个帐户。
IP解决方案不是解决方案,因为从公司/学校/3G玩游戏的人将拥有相同的IP。另外,更改 IP 很容易(重置路由器、代理、使用 3G 与 wifi)
某些网站(工作机会等)要求您提供官方 ID 号(身份证、护照、社会保障、驾驶执照、签证(没有安全号码,因此人们会感到安全,因为您不会向他们收费),...)
此解决方案有一些缺点:
另一种方式:
要求 1 美元的费用
对新帐户进行一些限制(如SO)。
使用逻辑检测多个帐户
我的建议:
混合使用所有这些方法,但保持用户体验流畅,而无需“立即填写表格以继续”
You should ask for something more unique than an email. But there is no way to be absolutly sure a player don't own two account.
The IP solution is not a solution, as people playing from a compagny/school/3G will have the same IP. Also, Changing IP is easy (reset the router, proxy, use your 3G vs wifi)
Some web site (job-offer, ...) ask you for an official ID number (ID, passport, social security, driver licence, visa (without the security number, so peolple will feel safe that you won't charge them), ...)
This solution got a few draw back:
Alternative way:
ask for a fee of 1$
put some restriction in new account (like SO).
Use logic to detect multiple account
My recommandation :
Use a mix of all thoses methode, but keep the user experience fluide without "form to fill now to continue"
非常有趣的问题!这里的基本问题是多方面的 -
结合 1 & 2,你遇到的问题是新玩家拥有不公平的优势(他们在现实世界中不会有)。这可能没问题,因为它会吸引新用户访问您的网站。
然而,如果将 3 个添加到混合中,就会遇到新玩家很容易将其优势转移给老玩家的问题。这使得老用户可以玩弄系统,破坏其他人的乐趣。
解决方案可以删除 1、2、3 中的任意一个。
删除 1 - 这是您关注的部分。正如其他人所建议的,这是不可能 100% 准确的。但有些方法已经足够好,具体取决于“足够好”的标准有多严格。我认为最好的折衷方案是询问用户的手机号码。它很有效,可以让您以另一种方式联系您的用户。另一种方法是让您的服务“仅限邀请” - 确保有明确定义的邀请“踪迹”,可以唯一地识别用户。
删除 2 - 没有人建议这样做,这有点令人惊讶。不要仅仅为了注册而给新用户一大笔钱!让他们为之工作,类似于在现实世界中筹集种子资金。您的足球模拟有社交方面吗?仅当用户的“朋友”数量超过一定数量时才给用户钱(增加愿意给他们钱的潜在投资者的数量)怎么样?
删除 3 - 其他人已经发布了最佳解决方案。采用类似于 SO 的策略,新用户必须玩 3 小时才能允许转移玩家。或者,也许可以在您的游戏中添加一个“训练”阶段,迫使新玩家通过在模拟环境中赚到足够的钱来证明自己的价值,然后才可以与真实用户一起玩。
或者以上的任意组合!与匹配 IP 地址和查找可疑交易等启发式方法相结合,可以使游戏作弊行为完全不可行。
当然,您需要记住的最后一件事是,这只是一个游戏。如果有人费尽心思只是为了在你的模拟中获得一点优势,他们可能应该保留它。只要大家玩得开心就好!
Very interesting question! The basic problem here is multi-part -
Combining 1 & 2, you have the problem that new players have an unfair advantage (which they would not have in the real world). This is probably okay, as it drives new users to your site.
However adding 3 to the mix, you have the problem that new players are easily able to transfer their advantage to the old players. This allows old users to game the system, ruining fun for others.
The solution can be removing either 1,2,3.
Remove 1 - This is the part you are focusing on. As others have suggested, this is impossible to do with 100% accuracy. But there are ways that will be good enough, depending on how stringent your criterion for "good enough" is. I think the best compromise is to ask the user for their mobile phone numbers. It's effective and allows you to contact your users in one more way. Another way would be to make your service "invite only" - assuring that there is a well defined "trail" of invites that can uniquely identify users.
Remove 2 - No one has suggested this which is a bit surprising. Don't give new users a bunch of money just for signing up! Make them work for it, similar to raising seed capital in the real world. Does your soccer simulation have social aspects? How about only giving the users money once their "friend" count goes above a certain number (increasing the number of potential investors who will give them money)?
Remove 3 - Someone else has already posted the best solution for this. Adopt an SO like strategy where a new user has to play for 3 hours before they are allowed to transfer players. Or maybe add a "training" stage to your game which forces a new player to prove their worth by making enough money in a simulated environment before they are allowed to play with the real users.
Or any combination of the above! Combined with heuristics like matching IP addresses and looking for suspicious transactions, it is possible to make cheating on the game completely unviable.
Of course a final thing you need to keep in mind is that it is just a game. If someone goes to a lot of trouble just to gain a little bit of advantage in your simulation, they probably deserve to keep it. As long as everyone is having fun!
我知道这可能不是您所期望的,但是...
我的建议是,如果人们长时间使用同一帐户,则通过提供一些奖金价值来阻止人们创建另一个帐户,这是一种忠诚度计划。出于某种原因,使用新帐户具有一些优势。让我们消灭他们吧。这里有很多聪明人,所以如果你分享更多关于优势的细节,有人可能会想出一些想法。我完全相信这是关于SO的主题。
I know this is probably nothing you have expected, but...
My suggestion would be to discourage people from creating another account by offering some bonus values if they use the same account for a longer period, a kind of loyalty program. For some reason using a new account gives some advantages. Let's eliminate them. There are a lot of smart people here, so if you share more details on the advantages someone could come up with some idea. I am fully convinced this is on-topic on SO though.
我们通过隐藏注册表来实现这一点。我们的客户只能看到登录表单,我们使用他们的手机号码作为用户名,并通过短信发送密码。
后端系统将手机号码与我们的主客户数据库进行匹配,从而强制手机号码是唯一的。
We have implemented this by hiding the registration form. Our customers only see the login form where we use their mobile number as username and send the password by text message.
The backend systems match the mobile number to our master customer database which enforces that the mobile number is unique.
这里有一个想法:
之后,为您的游戏大师编写一个程序接口:
我认为您不应该通过阻止人们拥有两个或更多帐户来解决这个问题。这是不可能的,也是无效的。更容易发现邪恶活动并(自动暂时)禁止这些人。
Here is an idea:
After that write a program interface for your game masters that:
I do not think you should solve that problem by preventing people having two or more accounts. This is not possible and ineffective. Make it easier to find that evil activities and (automatically temporarly) ban these people.
用程序来完成这个任务是不可能的。
您能做的最接近的事情就是检查 IP 地址。但它可以改变,并且代理是存在的。
然后就可以得到电脑的MAC地址了,但是网卡可以换。还有电脑。
那么,有一种方法可以做到这一点,但你需要面对面地见到人们。递给他们一张带有唯一代码的纸。他们只有拥有代码才能订阅。
It's impossible to accomplish this with a program.
The closest you can do is to check the ip address. But it can change, and proxies exist.
Then you could get the computer MAC address, but a network card can be changed. And a computer too.
Then, there is one way to do this, but you need to see the people face to face. Hand them a piece of paper with a unique code. They can only subscribe if they have the code.
我认为每个电子邮件地址 1 个帐户应该足以满足您的需求。毕竟,帐户验证不必在注册后立即结束。
您可以发布发布每条消息的计算机的 IP 地址,以帮助您的用户检测某人何时在同一台计算机上使用多个帐户,并且您可以使用排名系统来阻止人们使用临时帐户。
I think 1 account per email address should be good enough for your needs. After all, account verification doesn't have to end right after signup.
You can publish the IP address of the computer each message was posted from to help your users detect when someone is using multiple accounts from the same computer, and you can use a ranking system to discourage people from using temporary accounts.
您的游戏动态是否允许您要求两个用户都在线才能进行交易?如果是这样,您可以验证参与交易的两个用户的 IP 地址,除非用户为多个互联网连接付费并从不同的计算机访问两个帐户,否则 IP 地址将是相同的。
Do your game dynamics allow for you to require that both users be online for a trade to occur? If so, you can verify the IP addresses of both users involved in a trade, which would be the same unless the user was paying for multiple internet connections and accessing two accounts from separate machines.
解决您所说的问题所在的确切场景。
跟踪玩家的预期/公平交易价值,并防止公然单边交易,尤其是。对于新帐户。假设您系统中的绝大多数用户都是非作弊者。
您还可以执行诸如滴入资金/非交易行为积分/自动加班等操作。
Address the exact scenario that you're saying is a problem.
Keep track of the expected/fair trade value of players and prevent blatantly lope-sided trades, esp. for new accounts. Assume the vast majority of users in your system are non-cheaters.
You can also do things like trickle in funds/points for non-trading actions/automatically overtime, etc.
最有效的解决方案可能是使用击键生物识别技术。可以通过一个人写句子的方式来识别一个人。
The most effective solution might be the use of keystroke biometrics. A person can be identified by the way the person writes a sentence.
让他们输入电话号码并向其发送短信。然后,保持所有手机号码的唯一性。大多数人都拥有一部手机,不会只是为了创建第二个帐户而要求朋友借用它。
http://en.wikipedia.org/wiki/List_of_SMS_gateways
Have them enter their phone number and send a text message to it. Then, keep a unique of all the cell phone numbers. Most people have one cell phone, and aren't going to ask their friend to borrow it just to create a second account.
http://en.wikipedia.org/wiki/List_of_SMS_gateways
我建议采用两种举措的方法:
1)不允许全新账户执行交易。账户必须经历一段等待期,并通过执行一些非交易行为来证明该账户是合法的。
2)公示作弊者将被取消资格并受到处罚。定期搜索用于转储不良玩家的帐户并进行调查。禁止/取消作弊者的资格并公开禁令,以便人们知道规则正在得到执行。
没有任何方法是万无一失的,但惩罚的威胁应该可以最大限度地减少作弊行为。
I would suggest an approach using two initiatives:
1) Don't allow brand new accounts to perform trades. Accounts must go through a waiting period and prove that the account is legitimate by performing some non-trade actions.
2) Publicize the fact that cheaters will be disqualified and punished. Periodically perform searches for accounts being used to dump bad players and investigate. Ban/disqualify cheaters and publicize the bans so that people know the rules are being enforced.
No method would be foolproof but the threat of punishment should minimize cheating.
实际上你可以使用fingerprintjs来跟踪每个用户,使用js在浏览器中加密指纹并在服务器中解密
actually you can use fingerprintjs to track every user, use js encrypt the fingerprint in browser and decrypt in server