Queue-Fair helps you ensure one order per legitimate, human customer, at a rate that you control
There are several measures that you can adopt with Queue-Fair - at your option - to ensure that it's only people who are buying from your site, not bots, and that they can only buy from you once, not over and over again.
Bot use falls into two categories - completely automatic, where the bot functions without human interaction, and user controlled. A user controlled bot will use information gathered from a real human's browser to automate the buying process.
Then you also have purely human scalpers or touts, who aren't using bots, but buy from you again and again as soon as they have the opportunity.
Uniquely in the industry, Queue-Fair's security controls are designed to thwart all three classes of bad actor.
How can I prevent bots from accessing my site?
Queue-Fair comes with a range of tools to prevent bots from accessing your site, fitted as standard. For a start, every visitor that is Passed by Queue-Fair gets a unique signature that you can check to verify that each visitor has been queued appropriately. If they fail the check, they get sent to the queue automatically - so bots and people alike cannot cheat the queue and complete a transaction on your site without queuing.
Uniquely in the industry, our signatures include information specific to the visitor's browser, so if a user chooses to share the signature online, it's not an effective way to help others to skip the queue.
Queue-Fair also requires the use of cookies and JavaScript in order to pass each visitor - and many bots don't support these browser features, and can't get through - while the browsers used by humans all do.
Security Gates at Join and Pass
To catch the bots that are sophisticated enough to run JavaScript and handle cookies like a browser, we operate Security Gates at the Join stage, when a visitor is attempting to join the queue, and then again at the Pass stage, when they are passed from the front of the queue to your site.
These security gates are normally only used when your site is busy, because when your site is not busy, you want Queue-Fair to be transparent to good bots like the Google Crawler, that indexes your site for search results.
But, if you want these security checks to be active all the time on your site, not just when your site is busy, you can make them Always On by setting the SafeGuard Rate (the threshold of busy-ness at which your queue turns on automatically) to zero, meaning that Queue Pages will always be shown, and the security checkpoints will always be run for all visitors.
The first and most obvious way to exclude bots is to use a CAPTCHA. Queue-Fair supports Google reCAPTCHA and also hCAPTCHA - you can take your pick, and can apply CAPTCHA at the Join gate to prevent bots from joining the queue, or at the Pass gate to prevent them from being passed through to your site, or both.
If you don't want to inconvenience your human visitors with a CAPTCHA process, you can also use Queue-Fair's innovative Proof of Work challenge system, which runs silently in the background when someone tries to join the queue. The Proof of Work challenges that must be solved to receive a queue position become increasingly hard with successive Join attempts from each IP address that tries to join the queue. Harder challenges take more compute expenditure and time to solve, so Proof of Work makes it not cost effective for bots to join the queue in large numbers.
You can also set caps on the number of Joins per minute per IP address, and the number of total Joins per IP address for your queue, so multiple attempts to join the queue from a single IP address are automatically detected and blocked. You can apply these caps to the Pass gate too.
Bots live in data centres and can't join the queue
Every bot must run on a computer somewhere. People that run bots usually run lots of them, which means they need a data centre to run them. You can set the Queue-Fair Security Gates to automatically exclude requests from known data centres including Amazon, Google and Azure cloud services, without excluding legitimate human users connecting from their home, office or mobile phone.
Uniquely to Queue-Fair, the data centre check is applied at both the Pass and Join gates, to prevent credentials gathered by a human that Joined the queue at home from being sent to bots at a data centre to get Passed in large numbers.
Using a PreSale page ensures fairness
If you have tickets, sneakers, NFTs or any other item going on sale at a particular time, then we always recommend deploying a Queue-Fair PreSale page. This page has a countdown clock, and when the appointed opening time for your event is reached, everyone watching the PreSale page joins the queue automatically.
People who join the queue from the PreSale page get a random queue position. Everyone who joins after the opening time, who didn't arrive in time to see the PreSale page, is inserted after them in first-come, first-served order.
The randomiser ensures that the event opening is fair - everyone who saw the PreSale page has the same chance of being at the front of the queue, and there's no advantage to scalpers and touts who arrive early. If the number of people in the queue is large compared with the stock available, it makes it unlikely that any individual will be able to obtain more than one queue position close enough to the front to buy before you sell out.
Network-Edge and Server-Side Security
Many of our customers prefer the simplicity and ease of integration of our Client-Side JavaScript Adapter, but some security checks can only take place on your servers, or at the Network Edge if you are using a Cloud provider. With Queue-Fair, you can continue to use the JavaScript Adapter and add a small amount of code to your servers to do the checks (the Hybrid Security Model), or you can do the entire process at the Network Edge or on your servers with our open-source code.
How can I prevent bots or scalpers from making multiple purchases?
Once a person is Passed by Queue-Fair, they have a limited time to use your site to make purchases, called the Passed Lifetime. You should set this long enough for your slower internet users to finish their transaction, including time for a Forgot Password process. Setting this to a short time can help prevent humans from making multiple purchases - but not bots as they can work your site much more quickly.
Instead, once a person has completed their order, you can securely delete their queue position. If they try to buy again, they'll be sent to the back of the queue, making each queue position single use for buying your tickets, sneakers or NFTs, beer or whatever it is for which people are queuing. This is an effective way to prevent multiple purchases by bots, humans, and humans using bots alike.
Invitation-only queues using Join Tokens
By default, Queue-Fair will let everyone who visits the Queue URL join the queue. You can enable Join Tokens, which are securely signed tokens from your site that must be presented by each visitor when they attempt to Join the queue in order to receive a queue position.
Join Tokens operate automatically - your visitors won't have to type them in - and you can choose to have your Join Tokens single use, meaning that each token can only be used once to join the queue.
So, if you are sending out marketing emails, you can send a different Join Token in each one that goes out - or you can require a login on your site before someone is sent to the queue, and give a unique Join Token to each login. If you can tie the Join Token to a customers crypto-wallet, credit card number or physical delivery address, that's a great way of preventing the same person from joining the queue multiple times, thus preventing them from buying from you multiple times too.
Conclusion
Queue-Fair runs the most secure queues in the business, with a wealth of security features:
- Secure signature that is specific to the visitors' browsers
- Requires use of browser features to be passed by the queue
- Limit per minute and total Joins and Passes by IP address
- Exclude data centre bots automatically
- Use Google reCAPTCHA or hCAPTCHA to ensure it's humans in your queues
- Proof of Work challenge stops bots obtaining large numbers of queue positions
- Delete each queue position after purchase to make each queue position single use
- Make your queue invite-only with Join Tokens to ensure one queue position, and one order per human customer
More details are in the Security Guide in the Help section of the Portal. How many of these security features you wish to use on your Virtual Waiting Room is up to you.