OAuth providers like Google's are nice but they don't guarantee that the user on the other end hasn't created thousands of spam accounts with different email addresses. Some financial services like P2P lending services require that the borrower or lender upload a government issued ID and even in some cases do a short video call with someone on the P2P company's staff, partly for financial regulatory requirements (I don't know what these are), but it also serves the purpose of pretty much guaranteeing the user is a real physical person, and you can then double check they are unique in your system. It doesn't seem possible to be perfect here though. But that is what I want, to guarantee that the user signing up has only signed up 1 time, that we can verify they are unique as a real physical person.
My question is, what are the holes or unsolved edge-cases in any sort of possible system you could use to do this sort of "unique real physical person" verification? What are the main problems that you ultimately cannot solve with this situation, and what is the best that can be done that is practical? By practical, I mean there are two cases: (1) is realtime verification (happens instantly, after say uploading a government ID, if that is enough), then (2) is slower but not too slow, so it might take less than 2-3 days (scheduling a 5 minute video chat). But impractical is taking infinite amount of time or requiring you to meet in person, it should all be done over the web.
For example, some holes I can already see is (super-edge case) getting plastic surgery and changing your name. Obviously extreme but even a trained human couldn't figure out you are the same person necessarily. That is pretty rare though I would say. The next is just changing your name, so we'd have to do facial recognition software, plus video chat and ask about paperwork for their original name perhaps, which would be cumbersome, I don't know. Maybe you have to use your birth name.
You don't have to list every possible edge case, but mainly I would like to know what is realistic when trying to guarantee a user or "real physical person" is only signing up once, and what the best is you can do while still remaining "practical".
In my case, I don't have a particularly security-heavy thing I am considering, I just want to guarantee that people aren't trying to spoof the system and create thousands or millions of accounts with different email addresses which they sign up with by farming out servers all over AWS to come from different IPs. Also for analytics purposes it would be nice to know that we have an accurate user count. I know uploading your government ID is a barrier to entry, but I am not concerned with that in this high-level question, I just would like to know what is possible, so I can weigh it against the millions of other factors to consider in the equation.
