I'm running a small SaaS product and I'm facing an issue with users who repeatedly sign up for my 14-day free trial using different email addresses after each trial period ends. Since the software doesn't store any custom data, the functionality remains the same for each new sign-up. I've done some research and considered a few options to tackle this: 1) IP addresses are not viable due to my B2B users having shared fixed IP ranges; 2) Regular cookies are an easier option, but I might need to implement a cookie banner for EU compliance, which I'd rather avoid since I don't use cookies at all; 3) Fingerprinting or supercookies could work but they raise privacy concerns under EU regulations.
I'm open to self-hosted solutions or paid services within the range of 10-20 EUR per month, but the ones I've found like fingerprint.com and castle.io are too costly. I'm also trying to keep my sign-up process straightforward, so I want to avoid methods like 2FA or phone verification. Any suggestions?
3 Answers
A solid approach would be to disallow free email signups from providers like Gmail or Outlook. B2B clients should ideally be using their business email addresses, which can help weed out some of the trial abusers.
Consider limiting access by IP address and as a fallback, ask for phone number verification if abuse is suspected. If someone is determined enough to spoof phone numbers to evade payment, they probably wouldn’t have been a customer anyway.
True! If they’re that invested in getting around your system, they might not convert in the long run.
Using cookies for trial management might be justified as "strictly necessary" for your service, so you may not need a cookie banner. Also, consider how much revenue you truly lose from users who abuse the trial—many may not convert anyway, so focusing on product improvements or marketing could be a better use of your time.
That makes sense! It's frustrating to see repeated abuse in logs, but perhaps investing in other aspects of your business would yield better results in the long run.
Or you could implement SMS confirmation to verify numbers—most abusers will run out of options eventually!