0

My problem is this: I have a survey that is taken by people that they're paid for. I want to avoid the same person submitting the form multiple times. It is a web application.

What I have tried: I have tried recognizing the IP address from which they try to submit the survey but it hasn't worked.(They could just change devices and so, IP changes) I could try 2FA (where I authenticate using SMS/Voice to phone numbers) but free phone services like Google Voice/Twilio will render that useless. Using a SHA/MD5 hash on a combined key such as phone number and email address still faces the same multiple emails/phone numbers problem. Uber has recently covered up its tracks and devised a way (or a partnership) to recognize Google Voice Numbers. I have gone through the Google Voice API and haven't found a way to find the actual phone number linked to the Voice number.

Is there any full-proof way of doing this?

PS: I am NOT talking about multiple form submissions on a form (say a ecommerce website) which causes multiple charges to a credit card. Please do NOT suggest CAPTCHA.

jagannathanr
  • 3
  • 1
  • `Is there any full-proof way of doing this?` No. The only way would be to send a unique token to the user that only they would know, but you won't know the user in advance, so that's not possible. – Jonnix Sep 30 '16 at 17:19
  • You can still do the mobile 2FA. Google Voice and Twillio numbers can be detected as VOIP numbers and not be allowed. – Jack Sep 30 '16 at 18:03
  • @JackNicholson Could you elaborate? As far as I know, Google leases the numbers to a third party and there is no definitive way to recognize if the number is a Voice number or not. Even [Bandwidth](http://bandwidth.com) is limited in usage. – jagannathanr Oct 01 '16 at 16:28
  • @JonStirling How does that solve the purpose? Even if I did know the user in advance, how do you ensure the same user doesn't request a unique token twice? Are you referring to a handshake using public and private keys? – jagannathanr Oct 01 '16 at 18:33
  • Public and Private keys wouldn't work for the same reason that you're having a problem with, you can't confirm identity to give them the keys in the first place. That is why this is not possible. You have no way to confirm a users identity, so you have no way to confirm whether they've already registered. You can try and make it more difficult, but in the end, you can't be certain. – Jonnix Oct 01 '16 at 20:32

0 Answers0