I’m getting ready to launch a new AI SaaS. I’d like to offer a “try it for free without an account or credit card” option right on the home page. Unfortunately, due to (1) the cost of these GPUs, (2) the fact that I’m bootstrapping the service 100%, and (3) the fully automated nature of the backend infrastructure, the risk of bots targeting the website is not just a simple concern or inconvenience but rather something that could make it infeasible for me to continue running the service.
I’ve tested a number of potential solutions and I’m still coming up empty.
E.g., I could do like Troy Hunt [0] and rely on Cloudflare Turnstile [1], but unfortunately, after testing it, it doesn’t cut it:
1. Cloudflare claims Turnstile is “frustration-free” for users, but my personal experience says otherwise. I dislike the experience enough that I wouldn’t want my users experiencing it either.
2. Turnstile is actually easily bypassed. I found some web scraping-related services on the internet that claim to easily and programmatically bypass Turnstile for literal pennies*, but I didn’t 100% believe them, so I tested the services. <20 minutes later, I had a script running bypassing challenge after challenge for <$1.00.
3. The hyper-centralized nature of Cloudflare is something that never sits right with me. On one hand, I have tremendous respect for the great work they do and the awesome folks who work at the company (I personally know founders whose startups would probably no longer exist had it not been for Cloudflare’s DDoS protection services). On the other hand, they frankly control too much of the internet’s traffic for my liking.
I’m starting to realize that my only option seems to be to keep the service locked down only for authenticated users (maybe via Google**).
* I’m intentionally not linking to any of those services, but they’re very easy to find via Google.
** I’m not convinced that “Sign In with Google” solves this problem either, since a committed actor can easily create many Google accounts, but at least it’s more manageable. Also, centralization (via Google) is obviously also an issue with this option.
[0]: https://news.ycombinator.com/item?id=37400018
[1]: https://www.cloudflare.com/products/turnstile
Only accept professional emails(i.e name@company.com) from a domain that is older than X days, you can find APIs to find out if a mail is from free providers. + maybe a phone number from the same country of their IPs.
"Sign in with google" is pretty useless, you can bypass that for pennies.
If you're going to require a credit card, you can probably filter them to block debit/prepaid card, or try to make a temporary charge for a few dollars before reverting it.
You can use websites like https://seon.io/ to find out if a mail/phone number looks legit, they check things like if they actually used it somewhere else etc...
How much GPUs time are you going to offer for free? The question you really want to answer, is how do I make registering a fake account more expensive that whatever someone would get from mining crypto with your GPUs.
You can and should of course should block proxys/vpn ips.
Some basic bot protection would not hurt, but it's not an actual solution.
If you don't expect a huge amount of free users at first, you could maybe check registrations manually.
Maybe ask them to sign in with linkedin and check their account legitimacy(number of relations etc...)
An actually viable solution would probably be a mix of multiple of these things, your goal is to make it expensive to register more than one account, not impossible.