The idea is we have a website for free downloads

but there will be daily limit of daily downloads for each user (say 5 dl per day per user) so there will be users with multiple accounts.

1. IP detection is not good; cause I have many users from one ip (users from one organization)
2. email verification and unique email account is not good; u can create more than one account
3. sms confirmation is not good; users can use his/her friend cell phone number to register another account

I saw a website that solved this issue (partially) www.gameknot.com

They detect users by computer name or MAC address or something else I am not sure, I registered 3 users there, they detected me, said :"these three users are using same computer" !! and banned all three accounts.

When I reinstalled another windows the problem solved, I have one user there.

So I asked myself, "how they did this"?

Is there any suggestion as to how I can handle this issue?

If I would implement such a system, to have only one signon per user or something like that I would do something like this:

1: create an ID of the machine, based on IP, maybe using JavaScript/Java Applet/Flash you can get MAC or I don't know what things in consideration. For simplicity let's say I compute the host ID like this:

ID = MD5(PUBLIC_IP) + MD5(LOCAL_IP) + MD5(MAC)

2: User1 log in and let's pretend I computed host ID = 666. WE look up a table in DB let's say table_hosts that containt this data (user, host_id)

3: User1 used all 5 downloads (keep track of them using session or records from database)

4: User1 try to login as User2 and now we compute the ID = 666, the same ID = 666, we lookup out table_hosts and find out that the same host ID was used doring that day by User1 too. Now we can ban the accounts with that ID, give warnings like 20% until ban etc

Hope I could help, but remember be creative, that's all that matter!

LE: Because others put in discussion shared machines the ID may be calculated like this:

ID = MD5(PUBLIC_IP) + MD5(LOCAL_IP) + MD5(MAC) + MD5(NameOfLoggedOnUser)

But this have it's disadvantage too, the abuser may create 2 or more accounts on it's machine. Anyway I repeat be creative and yeah we should not forget that any lock can be lock picked.

If it was the MAC address, reinstalling Windows wouldn't change things - that's a hardware address.

Perhaps they were setting a cookie from your machine? The downside to that is that a user clearing their cookies will get open access.

Even tying it down to a single machine has disadvantages - what if it's a shared machine (in a home or even an internet cafe).

There's probably no ideal solution because you'll have cases where someone legitimately does something that looks dodgy and dodgy people who can look legitimate.

The main question here is to find the balance between control and annoyance. Will more control for you result in more annoyance for your users?

Keep in mind that user can have a failed download for many reasons. Do you allow to resume the download or restart it without punishing the user?

You mention email verification and unique email account as not good. But don't forget that creating a new email account just for that purpose is a hassle for most of users. So is signing up for a new account even with existing email. So yes, some user will get a bit more than they should but will it have serious negative consequence for the business?

If you want them to pay for extra downloads, there will be two types. Those who value their time and hate hassles. Make it easy for them and they will gladly pay! These are your customers you want to care about.

The other group is those who will invent new tricks in order not to pay, regardless of how hard you'll make it. Will you detect their computer? Then they'll go to internet shop with many other computers, so you achieve nothing. There is simply nothing you can do against those users. But is it worth it to worry about?

So in conclusion, maybe trying to make it easy for users who are happy to pay is worth more than worrying about those who won't pay anyway. Here is some more discussion about being user-friendly.

EDIT.

Just noticed this answer, showing that getting fake emails is even easier than I've thought. However, how many users will know about this service?

They probably used cookies or IP to track, both easy to defeat. As with all security problems it's a matter of availability vs security.

If it's really, really important, you might want to use sms verification. It's probably as secure as it's going to get... But that's a pretty non-trivial thing to solve, especially with users from non-. I would just go with IP logging (so you can do a search periodically to see any strange patterns) and cookies.

Well, StackOverflow seems to use Open ID to address this issue, if not eliminate it.

I run a free site where people register accounts, and I've had some similar problems that you've had. I've required email verification and I've logged IPs, but people are always going to find a way to game the system. The only solution is really to monitor your site frequently to make sure nothing abnormal is going on. I had a case where three verified accounts were logging in from the same IP just minutes after one another and all performing the exact same action. I wrote to one of the users who complained "Oh no, it's just me, I don't know what you're talking about." I eventually suspended that user's account and all three accounts simultaneously became inactive.

I also had another case where someone was creating fake email accounts, but was doing so in pretty much the same way using the same password each time and a similar email address. He was causing problems on the site, so I banned all his accounts and he eventually stopped.

Just monitor and look for patterns. Aside from getting really tricky, that's pretty much all you can do.

Good luck!