Subscribe to the Non-Human & AI Identity Journal

Multi-account Creation

The repeated creation of accounts by one actor to evade controls, amplify abuse, or disguise intent. It often uses disposable identifiers, device changes, and automated onboarding. For practitioners, the issue is not only volume but the false appearance of legitimate user growth and engagement.

Expanded Definition

Multi-account creation is a form of identity abuse in which one actor repeatedly provisions new accounts to bypass rate limits, eligibility checks, moderation rules, or fraud controls. In NHI and IAM contexts, it matters because the apparent identity count can be manipulated just as easily as the access pattern, especially when onboarding is self-service and automated. Definitions vary across vendors on whether this behaviour is treated as fraud, abuse, or account takeover adjacent activity, but the operational signal is consistent: the same source is trying to look like many legitimate users. For governance teams, the key distinction is between normal account growth and coordinated account farming that uses disposable email addresses, device resets, rotating IPs, or scripted registration flows. The pattern is often discussed alongside risk-based authentication and abuse detection in the NIST Cybersecurity Framework 2.0, where the control question is whether identity proofing and monitoring are strong enough to resist synthetic scale. The most common misapplication is treating every spike in registrations as organic demand, which occurs when teams analyse volume without correlating device, network, and behavioural reuse.

Examples and Use Cases

Implementing controls against multi-account creation rigorously often introduces friction for legitimate signups, requiring organisations to weigh growth conversion against stronger abuse resistance.

  • A marketplace sees hundreds of new seller accounts created from the same device fingerprint, each with unique email aliases, prompting investigation for coordinated evasion rather than genuine expansion.
  • A fintech platform detects repeated onboarding attempts after failed verification, where the actor changes phone numbers and IPs to keep testing promotional offers and referral bonuses.
  • A SaaS provider reviews login telemetry and finds many fresh accounts sharing browser automation patterns, which leads security teams to tighten registration throttles and device reputation checks.
  • An online community notices “new users” posting identical content within minutes, and the abuse team links the activity to a scripted account farm designed to amplify manipulation.
  • As covered in the Ultimate Guide to NHIs, repeated identity creation becomes especially risky when operational telemetry is weak and the organisation cannot distinguish scale from legitimacy.

Why It Matters in NHI Security

Multi-account creation is not only a trust and fraud problem. It can also become an NHI governance issue when attackers use repeated registration to seed fake service relationships, manipulate API quotas, or hide the true source of automated abuse. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service account, and weak visibility makes it easier for repeated account creation to blend into normal identity churn. The concern is amplified when organisations already have broad secret exposure or overprivileged identities, because a large number of disposable accounts can obscure where access truly originates. In practice, monitoring must connect identity proofing, behavioural analytics, and lifecycle controls rather than relying on registration counts alone. The Ultimate Guide to NHIs also highlights that NHIs outnumber human identities by 25x to 50x in modern enterprises, showing how quickly identity volume can overwhelm manual review. Organisations typically encounter the consequence only after referral fraud, spam waves, or automated abuse has already distorted metrics, at which point multi-account creation becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Repeated account creation exploits weak identity lifecycle and abuse controls in NHI environments.
NIST CSF 2.0 PR.AA-1 Identity proofing and authentication must resist scripted registration abuse.
NIST CSF 2.0 DE.CM-8 Monitoring identity events helps surface abnormal registration bursts and reuse patterns.

Monitor account creation telemetry continuously and investigate clusters that indicate synthetic identity growth.