Very few people are going to have sufficient devices to fake large numbers of accounts. Those that do are going to either (1) have other signals (2) be sophisticated enough to evade more advanced techniques
See the experiential point that it is better to keep the 80/20 rule in mind. Most users are not going to abuse the system, and those that do, do so with dozens or hundreds of accounts, not 2-3
Are you talking about text messages? If so, I agree. It would get expensive to spin up a bunch of VOIP numbers.
But for the passkey/2FA stuff, it can all be implemented in software, and a script or botnet could easily generate them by the hundreds. They're not tied to a hardware signature (i.e., you don't need multiple devices or even fake virtual devices, they're just algorithms).
These are all advanced techniques the vast majority of users are not going to use to fake multiple accounts. Most users will never make multiple accounts to access a free tier. Abusers are far and few between and typically generate multiple signals. I've seen this in production systems and there are ways to deal with it.
On one hand, that's a fair point (absolutely agreed on the 80/20 stuff). But on the other hand, if some of your accounts are distinct humans and the others are bots... how do you (as the website operator) tell which is which?
I guess I assumed that if you wanted only "distinct human accounts", you would also want to exclude bot-generated ones, but maybe not.
