How about verifying against the national identity database. No need to second guess identity / address, etc. Isn't that exactly why we've got strong identity, that it's very easy to validate it. I wonder why some services use all kind of pseudo methods, when there are strong and proven methods available. Also postcard is bad, because it's not registered mail, where recipient identity is verified. Some businesses do use that. But it's still worse than using online id. Because it's still more likely that the identity verification when receiving mail, isn't done properly.
There has been a national identity register here since 400 years, so I might be a bit biased, but I never really saw a problem in everyone knowing where other people live.
The most common problem is you have an abusive ex-husband, and some similar things like that, but then the national identity database is just a very minor side-problem compared to the actual problems...
A feeling that other European countries with such a system abused them during WW2 etc, or an appeal to tradition and a feeling that British people should be free from such systems and not reduced to mere numbers.
It still says "subject" in your passport, regardless of if you have a number or not ;-)
But yeah, I get parts of it. I remember that my granddad was always a bit miffed over the identity number he got, since he lived half his life without it. Before that the name and address was considered unique enough.
But it's such a nifty system - we get all updated addresses automatically, and it improves the credit scoring processes so it's very easy to buy things online, etc.
The defacto databases for residency are those held by the UKs 3 main credit reference agencies, who all have access to the electoral roll and offer address verification as a service.
Those services/databases don't really verify anything though. They tell you if the details given match a person, but they don't verify that the person giving them is who they say they are.
Last year I had a number of cases of identify fraud. In one case somebody went into a phone shop, gave just my name and address, and walked out with a iPhone 7 and a £60/mo contract. As the director of a limited company my name, address and date of birth are public record, so it seems really stupid that this is how identity is usually 'verified' in the U.K.
As there is no way to remove yourself from these databases (short of committing credit score suicide), I now pay £10/year to be on another database:
There was an option to verify by phone number - but it didn't work on my mobile. I assume that they use landline numbers to see if you are in the right geographic area.
This is just address verification using a mailed-in code. 2FA term describes a system that uses a second factor for authentication. This one uses a code sent by mail for registration (where first authentication is part of the registration).
I agree with the comment that the email hint is totally unnecessary, and the ambiguous 3 day expiry window is too confusing in an world where post might take 1 - 2 days to arrive. Additionally the postcard aspect means people at every point along the delivery chain can read the back and front, why not just send a letter?
As a side note, I really like the way the author of this blog has constructed his "Contact Me" bit at the bottom, it's very intuitive, clever, and uses URI schemes where appropriate, nice job!
I think it's likely that it probably doesn't expire, or has an expiry longer than 3 days; saying that the code expires gives a sense of urgency. I'm sure it helps with conversion, as this is yet another step of the onboarding process.
Google uses a postal-card OTP for Google MyBusiness service, to verify address for business listings. That is how you create Google Maps and Google Plus pages https://business.google.com). They again re-verification if the business address changes.
I think it is a very smart & less cumbersome way to verify physical address.
Couchsurfing uses the same address verification method (postcard sent to your home with a code). That one is powered by Lob. Maybe this one is as well?
I've seen posters in the streets from one of the hyper-local social networks that have a per neighborhood code on the poster. You use that code to sign up for your neighborhood.
I had a Japanese site verify my address by sending me a postcard by registered mail. If the postcard got delivered they presumed the address was valid, if the post office failed to deliver they knew it was fake. No need for any action on the user's end.
When they Swedish post office started their online portal back in the mid-to-late 90's they would mail your initial password home when you signed up. I guess because postal mail is all they knew?
ricardo.ch (similar to craigslist) is doing the same in Switzerland. I think this gives the user the impression that he has to be responsible about his actions on the website.
> This is a nifty way to lightly verify someone's address! A service could ask for scans of utility bills, or driving licences, but this is a lot simpler.
It's also an invalid way to verify where someone lives. It's possible to "verify" any address at which you can have mail sent to your name and receive, for example, a previous address, an office, a co-working space, an abandoned building or vacant apartment, etc.
This is why it's such a big deal that Nextdoor makes each user's address public inside their neighborhood group by default — there are trivial ways to get into a neighborhood group.
If anyone is looking for a fun side-project, this sort of postal verification could be part of bootstrapping a citizen-controlled national digital identity system. The system would also leverage the official gov election form that checks if you're registered to vote, resurfaced with an API.
This approach has the interesting property that, in order to cheat this unofficial system, you've have to commit either mail fraud (interception) or vote fraud (fake entry in election registry).
Ping me on Twitter if you're interested in working on this in Canada or any other jurisdiction. Would be rad to create an auth system for citizen projects to validate identity/ward/district/state with high assurance. That way, user desires can be passed to reps with reasonable certainty that numbers reflect real voters.
And could start doing fun stuff with encryption keys or keybase integration or things like that ;)
If anyone is looking for a fun side-project, I feel the postal verification could be part of bootstrapping a citizen-controlled national digital identity system. The system would also leverage the official gov election form that checks if you're registered to vote, resurfaced with an API.
Interesting property that in order to cheat this unofficial system, you've have to commit either mail fraud (interception) or vote fraud (fake entry in election registry).
Ping me on Twitter if you're interested in working on this. Would be rad to create an auth system for citizen projects to validate identity/ward/district/state with high assurance. That way, user desires can be passed to reps with reasonable certainty that numbers reflect real voters.
American Radio Relay League (ARRL) employs postcard based recipient verification for amateur radio operators by mailing to their registered license address with FCC, a public record. They use this to sign a user certificate (X.509) which presently can be used to access Logbook of the World (LoTW), a web based logbook for radio operators to record contact with other operators.
37 comments
[ 7.3 ms ] story [ 153 ms ] threadThere has been a national identity register here since 400 years, so I might be a bit biased, but I never really saw a problem in everyone knowing where other people live.
The most common problem is you have an abusive ex-husband, and some similar things like that, but then the national identity database is just a very minor side-problem compared to the actual problems...
But yeah, I get parts of it. I remember that my granddad was always a bit miffed over the identity number he got, since he lived half his life without it. Before that the name and address was considered unique enough.
But it's such a nifty system - we get all updated addresses automatically, and it improves the credit scoring processes so it's very easy to buy things online, etc.
I live in Denmark, so I have a Danish "personnummer".
https://en.wikipedia.org/wiki/British_subject
e.g. http://www.experian.co.uk/business-express/identity-solution...
Last year I had a number of cases of identify fraud. In one case somebody went into a phone shop, gave just my name and address, and walked out with a iPhone 7 and a £60/mo contract. As the director of a limited company my name, address and date of birth are public record, so it seems really stupid that this is how identity is usually 'verified' in the U.K.
As there is no way to remove yourself from these databases (short of committing credit score suicide), I now pay £10/year to be on another database:
https://www.cifas.org.uk/pr_for_individuals
There was an option to verify by phone number - but it didn't work on my mobile. I assume that they use landline numbers to see if you are in the right geographic area.
It is also easy to lose your privacy.
http://www.lse.ac.uk/management/research/identityproject/
As a side note, I really like the way the author of this blog has constructed his "Contact Me" bit at the bottom, it's very intuitive, clever, and uses URI schemes where appropriate, nice job!
It also is, quite literally, lying to people. I personally hate when businesses do that.
I think it is a very smart & less cumbersome way to verify physical address.
Picture of a card: http://2.bp.blogspot.com/-bhasaP2UfVA/T-itxSP6-uI/AAAAAAAAAF...
Site: http://NemID.nu
For some reason Germans love these cards as well
When they Swedish post office started their online portal back in the mid-to-late 90's they would mail your initial password home when you signed up. I guess because postal mail is all they knew?
It's also an invalid way to verify where someone lives. It's possible to "verify" any address at which you can have mail sent to your name and receive, for example, a previous address, an office, a co-working space, an abandoned building or vacant apartment, etc.
This is why it's such a big deal that Nextdoor makes each user's address public inside their neighborhood group by default — there are trivial ways to get into a neighborhood group.
This approach has the interesting property that, in order to cheat this unofficial system, you've have to commit either mail fraud (interception) or vote fraud (fake entry in election registry).
Canadian proof-of-concept here: https://github.com/patcon/id.c4nada.ca
Ping me on Twitter if you're interested in working on this in Canada or any other jurisdiction. Would be rad to create an auth system for citizen projects to validate identity/ward/district/state with high assurance. That way, user desires can be passed to reps with reasonable certainty that numbers reflect real voters.
And could start doing fun stuff with encryption keys or keybase integration or things like that ;)
Interesting property that in order to cheat this unofficial system, you've have to commit either mail fraud (interception) or vote fraud (fake entry in election registry).
Canadian proof-of-concept here: https://github.com/patcon/id.c4nada.ca
Ping me on Twitter if you're interested in working on this. Would be rad to create an auth system for citizen projects to validate identity/ward/district/state with high assurance. That way, user desires can be passed to reps with reasonable certainty that numbers reflect real voters.