How to reliably identify users across Internet?

Posted by amn on Stack Overflow See other posts from Stack Overflow or by amn
Published on 2010-04-28T13:45:09Z Indexed on 2010/04/28 13:53 UTC
Read the original article Hit count: 256

I know this is a big one. In fact, it may be used for some SO community wiki.

Anyways, I am running a website that DOES NOT use explicit authentication of users. It's public as in open to everybody. However, due to the nature of the service, some users need to be locked out due to misbehavior.

I am currently blocking IP addresses, but I am aware of the supposed fact that many people purposefully reset their DHCP client cache to have their ISP assign them new addresses. Is that a fact? I think it certainly is a lucrative possibility for some people who want to circumvent being denied access. So IPs turn out to be a suboptimal way of dealing with this. But there is nothing else, is it?

MAC addresses don't survive on WAN (change from hop to hop?), and even if they did - these can also be spoofed, although I think less easily than IP renewal.

Cookies and even Flash cookies are out of the question, because there are tons of "tutorials" how to wipe these, and those intent on wreaking havoc on Internet are well aware and well equipped against such rudimentary measures I would employ.

Is there anything else to lean on? I was thinking heuristical profiling - collecting available data from client-side and forming some key with it, but have not gone as far as to implementing it - is it an option?

© Stack Overflow or respective owner

Related posts about profiling

Related posts about identification