Ask HN: User Verification Suggestions?
1. Amazon's "Realname" (verifying name on CC).
2. Address Verification (sending code via postal mail, having them enter it online later).
3. Email Verification (obvious).
4. Asymetric, Public Key type system.
These are just a few examples I can think of. Basically, I'm trying to compile a list of ways to verify the person on the end of the pipe are who they say they are. Any ordinary or out of the ordinary suggestions welcome!
24 comments
[ 3.7 ms ] story [ 59.0 ms ] threadAnd the post office certainly has no need to know it.
I know it's amazing to some, but a good amount of people have no clue the exact amount they paid on their last visa bill.
I would make a couple of points though, we've run into several sites that don't provide a mechanism to have the call retried (answering machine, undelivered cell call, etc) or to go back and enter a verification code if it was captured by voice mail etc. Google lets you enter the code whenever you get it, Twilio lets you initiate a new call with a new number, but many ignore this problem.
http://blog.twilio.com/2010/05/sms-phone-verification-with-t...
http://blog.twilio.com/2010/05/simple-phone-verification-wit...
If you need real verification of a human and their identity, don't use phones for it. Especially not an automated phone system.
1) Provide an additional time-consuming, potentially slightly costly and hard-to-automate barrier to negate spammers (like Gmail does during signup).
2) Verify that someone controls a number before using it as an interface to your app either through notifications or control (adding appointments or tasks, etc).
Like you mention there's no way to use this method to verify someone is who they claim to be. But there aren't really any methods for this type of thing that can't be spoofed.
My bank offers this as an option to send a verification code when I use a new computer or browser.
The drawback for you is that unlike my bank you are probably not verifying an existing account and are taking the phone number from the same person you're validating.
This means that there's a good chance my phone might have a Chicago area code but I live in LA now.
Basically, every method listed here uses something as a proxy for a signing authority. In the real world, we have Notaries. In the online world, we often try and use some other trusted third party as a proxy for a notary.
That's what the credit card schemes are. You're trusting that the credit card company has done their homework and verified the identity of the person they're issuing a card to. Sadly, this isn't the case; I know someone who once ordered a credit card for their dog.
As with any authentication system, the first question you have to ask yourself is how important is the system you're guarding? What is the aim of the authentication?
The lower the value of the system, the less you can put into it. To sign up for an email list, you can probably just ask for an email address and send a verification link. To handle a large financial transaction with an untrusted third party, you're going to want a whole lot stronger verification.
So it really comes down to whether your interest here is for a practical application, or if it's purely academic and you're just wanting to compile a list.