Ask HN: User Verification Suggestions?

24 points by dylanz ↗ HN
1. Amazon's "Realname" (verifying name on CC).

2. Address Verification (sending code via postal mail, having them enter it online later).

3. Email Verification (obvious).

4. Asymetric, Public Key type system.

These are just a few examples I can think of. Basically, I'm trying to compile a list of ways to verify the person on the end of the pipe are who they say they are. Any ordinary or out of the ordinary suggestions welcome!

24 comments

[ 3.7 ms ] story [ 59.0 ms ] thread
Canadapost.ca does a credit check when you signup for a change of address and asks the user to verify two items on their credit report. Ouch.
The US postal service's mechanism for doing this is slightly less invasive; they charge a $1 fee to your credit card card so they can confirm that the card's billing address is one of either the "old" or "new" addresses.
That might work, but hardly all people have a credit card.

And the post office certainly has no need to know it.

...which, as anyone has tried to use the "service" will attest, is perhaps the worst possible example of identity verification you could use, from a user's perspective.

I know it's amazing to some, but a good amount of people have no clue the exact amount they paid on their last visa bill.

Mobile phone number verification, ie. prove that you're a human in countryX by entering your mobile phone nr. in the US and we send you an SMS code or something. Google does (did?) that if I remember correctly.
I built this using twilio yesterday. It took maybe an hour, from research to code to commit.
I've rolled this out recently as well, we give the user the option of a voice call or SMS. We did this knowing that about 50% of our users sign up by giving us a land line and may not have a cell phone. Twilio provides a code example right on the site for voice based verification where their system will call you and ask you to enter a number you have been presented with on the site. We do the inverse where you get a call/sms with a verification code and then have to enter it on the site.

I would make a couple of points though, we've run into several sites that don't provide a mechanism to have the call retried (answering machine, undelivered cell call, etc) or to go back and enter a verification code if it was captured by voice mail etc. Google lets you enter the code whenever you get it, Twilio lets you initiate a new call with a new number, but many ignore this problem.

I work at Twilio and this is an extremely common use case for our service. We have two recent blog posts that show how to do both SMS and phone-based verification:

http://blog.twilio.com/2010/05/sms-phone-verification-with-t...

http://blog.twilio.com/2010/05/simple-phone-verification-wit...

Unfortunate that the service requires a US based billing address, is there any way to work around that?
Unfortunately, not at this time.
Given that I've 'verified' a US address based on a Skype number in Chicago I have whilst I am based in London, UK. Well... I wouldn't say that a phone number verifies anything more than something can respond to the endpoint.

If you need real verification of a human and their identity, don't use phones for it. Especially not an automated phone system.

There's a few reasons to do it:

1) Provide an additional time-consuming, potentially slightly costly and hard-to-automate barrier to negate spammers (like Gmail does during signup).

2) Verify that someone controls a number before using it as an interface to your app either through notifications or control (adding appointments or tasks, etc).

Like you mention there's no way to use this method to verify someone is who they claim to be. But there aren't really any methods for this type of thing that can't be spoofed.

Phone verification, using twilio.You can at least verify that the user controls a mobile phone number.

My bank offers this as an option to send a verification code when I use a new computer or browser.

The drawback for you is that unlike my bank you are probably not verifying an existing account and are taking the phone number from the same person you're validating.

Another (possible --- depends on your usage scenarios) drawback is that cell phone text messages are not always "instantaneous". I've personally seen lags of up to 30 minutes between send and receipt, particular in fringe reception areas.
I see > 1 day lags occasionally (aus, vodafone).
I am a user case that does not own a phone or has a credit record in the US. However the thing, if you are using payments that always works is PayPals user verification. Put a charge on a users card. Either add a code to the name of the merchant, or if unfeasible, charge 1.xy and ask the user for the xy.
You could combine IP geolocation and caller ID phone verification. Geolocate the user's IP during the sign-up process and provide the user a code to activate their account through a 1-800. Compare their area code against the location they provided and see if they're close enough to trust.
Now that long distance service is essentially free for everyone and mobile phones (and VoIP) have nationwide networks, more people are choosing not to update their phone numbers when they move.

This means that there's a good chance my phone might have a Chicago area code but I live in LA now.

Are you looking to just compile a list of the ways that someone might do this, or are you looking for a good solution?

Basically, every method listed here uses something as a proxy for a signing authority. In the real world, we have Notaries. In the online world, we often try and use some other trusted third party as a proxy for a notary.

That's what the credit card schemes are. You're trusting that the credit card company has done their homework and verified the identity of the person they're issuing a card to. Sadly, this isn't the case; I know someone who once ordered a credit card for their dog.

As with any authentication system, the first question you have to ask yourself is how important is the system you're guarding? What is the aim of the authentication?

The lower the value of the system, the less you can put into it. To sign up for an email list, you can probably just ask for an email address and send a verification link. To handle a large financial transaction with an untrusted third party, you're going to want a whole lot stronger verification.

So it really comes down to whether your interest here is for a practical application, or if it's purely academic and you're just wanting to compile a list.

I am trying to compile a list, and the stronger the verification process, the better. A Notary is a fantastic example.
Paypal and some payment gateways verify a user's bank account/routing number by making 2 small deposits (<$0.20) and asking the user to type in how much the deposits were.