The Scale of the Bot Signup Problem
If your app has any kind of free tier, trial, or incentive, bots are signing up for it. Not occasionally — continuously, at scale. Akamai's 2025 State of the Internet report found that bots account for nearly 40% of all internet traffic, with credential stuffing and account creation fraud being the top two use cases.
The economics are ruthless. A threat actor can register 1,000 fake accounts for about $0.50 using commodity bot-as-a-service platforms. At that price point, your free tier becomes an infinite resource — compute cycles, storage, API credits, referral bonuses, promotional codes — all systematically harvested.
The downstream effects compound quickly:
- Infrastructure costs balloon from fake users consuming real resources
- Metrics become unreliable — your DAU and conversion numbers are polluted
- Genuine users get hurt when bots exhaust rate limits or promotional inventory
- Compliance exposure grows when fake accounts are used for fraud, spam, or abuse
The problem isn't new. What's changed is that every traditional mitigation has been systematically broken.
The Standard Approaches (And Why They Fail)
reCAPTCHA and CAPTCHA Variants
CAPTCHA was the default answer to bot signups for two decades. The pitch was simple: present a cognitive challenge only a human can solve. The reality in 2026 is that automated CAPTCHA solvers have a 99.9% success rate on reCAPTCHA v2, and reCAPTCHA v3's risk score is regularly spoofed by headless browser frameworks that mimic human mouse movements and scroll behavior.
CAPTCHA solving services charge roughly $1 per 1,000 solves and operate 24/7 with sub-second response times. For a bot operator targeting your free trial, this is a rounding error in their cost structure.
hCaptcha, Cloudflare Turnstile, and every subsequent variant have faced the same trajectory: release, widespread solver support within weeks, effective neutralization. CAPTCHA is a delay, not a defense. For a full breakdown, see our article on why CAPTCHAs are dead.
Honeypot Fields
Honeypots — hidden form fields that bots fill out and humans don't — are a useful supplementary layer but trivially defeated by any serious bot operator. Modern bot frameworks are aware of common honeypot patterns, ignore fields with display:none or visibility:hidden, and handle aria-hidden attributes correctly. Honeypots catch the lowest-effort scripts, not targeted attacks.
Email Verification
Requiring a verified email address sounds like a solid barrier. In practice, disposable email services make it near-worthless. Guerrilla Mail, Mailinator, and hundreds of similar services provide unlimited throwaway addresses with working inboxes. Bot operators automate the full signup-to-email-click pipeline. Email verification confirms an inbox exists, not that a human created it.
Blocking known disposable email domains helps at the margins, but the list is perpetually incomplete — new domains appear faster than blocklists can track them.
Phone Number Verification (SMS OTP)
SMS verification is stronger than email verification — real phone numbers cost more than email addresses. But it's not the barrier it used to be. Virtual number providers sell SMS-receiving numbers starting at $0.01 each. Entire bot automation platforms are built around bypassing SMS OTP at scale. And there's a significant UX cost: SMS friction causes measurable conversion drops, particularly in international markets where SMS reliability is inconsistent.
IP Reputation and Rate Limiting
IP-based blocking and rate limiting are table-stakes hygiene, not solutions. Residential proxy networks give bot operators effectively unlimited clean IP addresses sourced from real consumer devices. Datacenter IP reputation lists are always one CIDR range behind. Rate limiting shapes traffic but doesn't stop distributed attacks operating well below per-IP thresholds.
Every knowledge-based or network-based defense shares the same flaw: it can be automated. As long as the verification challenge can be solved programmatically, bot operators will automate the solution. The only way to break this pattern is to require something that cannot be automated.
Liveness Verification: The Modern Solution
Face liveness detection shifts the verification paradigm from "can you solve this puzzle?" to "are you a live human physically present right now?" It's the same technology your bank uses for identity verification and your phone uses for Face ID — applied to web signup flows.
The mechanics that make liveness detection bot-proof:
- Physical presence required — a bot cannot present a live human face
- Photo spoofing defeated — depth analysis and blink detection reject static images
- Video playback defeated — randomized challenge sequences prevent replay attacks
- Deepfake economics broken — real-time deepfake generation at scale is orders of magnitude more expensive than any free tier value
- One face, one account — optional biometric deduplication prevents one person creating hundreds of accounts
Crucially, it doesn't require storing raw biometric data. The verification system checks liveness and returns a signed proof — your app never sees or stores a face image. The user experience is a 2-second face scan, not a privacy intrusion.
Approach Comparison
| Method | Bot Defeat Rate | UX Impact | Bypassed By |
|---|---|---|---|
| reCAPTCHA v3 | ⚠ Low–Moderate | ✓ Minimal (invisible) | Headless browser farming |
| Honeypot fields | ✗ Very Low | ✓ Zero | Modern bot frameworks |
| Email verification | ✗ Low | ⚠ Mild friction | Disposable email services |
| SMS OTP | ⚠ Moderate | ⚠ High (conversion drop) | Virtual number farms |
| IP reputation | ✗ Low | ✓ Zero | Residential proxy networks |
| Liveness verification | ✓ Near-absolute | ✓ 2s face scan | Physical presence required |
Integrating TrueLens Liveness Verification
TrueLens exposes a two-call REST API. You create a verification session, redirect the user, and check the result. Your existing auth stack is untouched — this drops in at the point where you'd normally show a CAPTCHA.
// On your signup form submit handler
async function startVerification(userId) {
const res = await fetch('https://truelens-2.polsia.app/api/verify/init', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-API-Key': process.env.TRUELENS_API_KEY
},
body: JSON.stringify({
user_id: userId,
callback_url: 'https://yourapp.com/signup/verify-callback'
})
});
const { verification_id, redirect_url } = await res.json();
// Store verification_id in session, redirect user to face scan
sessionStorage.setItem('verification_id', verification_id);
window.location.href = redirect_url;
}
// Express callback handler
app.get('/signup/verify-callback', async (req, res) => {
const { verification_id } = req.query;
// Always verify server-side — never trust client-only result
const result = await fetch(
`https://truelens-2.polsia.app/api/verify/status/${verification_id}`,
{ headers: { 'X-API-Key': process.env.TRUELENS_API_KEY } }
).then(r => r.json());
if (result.status !== 'verified') {
return res.redirect('/signup?error=verification_failed');
}
// ✓ Real human confirmed — complete account creation
await createUserAccount({
userId: result.user_id,
verificationId: verification_id // store for audit trail
});
res.redirect('/dashboard?welcome=1');
});
That's the full integration. No SDK to install, no behavioral tracking scripts, no third-party iframes. Two API calls. Check the full API documentation for webhook options, error codes, and rate limit details.
Layering Your Defenses
Liveness verification eliminates the bot signup problem at its root. That said, a layered approach is still best practice for defense in depth:
- Email domain blocklist — filter the most obvious disposable domains as a first pass
- Rate limiting by IP and device fingerprint — catch high-volume registration bursts before they hit verification
- Honeypot fields — eliminate the lowest-effort automated scripts cheaply
- TrueLens liveness verification — catch everything else with a guarantee no automated system can fake
The first three layers cost you nothing and filter significant junk traffic. Liveness verification is the backstop that handles the rest. You pay per verification — meaning you only pay when a real human completes a scan. Bots never reach that step.
The Bottom Line
Bot signups are a solvable problem — but only if you stop trying to solve them with systems designed for the 2005 web. CAPTCHAs, disposable email blocking, and IP reputation all have the same fundamental weakness: they're knowledge tests that bots can automate.
Liveness verification is the only currently-deployed technology that requires physical presence. A bot cannot grow a face. That's the defense that actually works in 2026. See TrueLens pricing — there's a free tier with 50 verifications to get started, no credit card required.