Ask HN: How do you handle organization verification?

5 points by mjhouse ↗ HN
Facebook, Twitter etc. have verified accounts. If you were adding this to your own application, how would you do it?

I imagine no matter how it's done, it will involve some amount of manual approval. I would be pleasantly surprised to learn that this can be automated.

5 comments

[ 3.0 ms ] story [ 18.2 ms ] thread
I don't have a technical answer, but I would probably find out how online tobacco/vape companies verify people and implement that. They ask for taxpayer ID, credit card info, some other bits. It is fully automated and real-time verification.
Maybe something like the following would work:

* The account creator provides a photo id and an EIN

* You verify that the id is valid (visual/ML inspection?)

* Extract the expiration date and make sure it's unexpired (OpenCV/Tesseract)

* Extract the name from the id image (OpenCV/Tesseract)

* Check to see if that id matches the registered agent for that EIN.

This assumes that there is a unified API for EIN/TIN lookup in the US and I don't know if there is.

I'm not sure on the details of how it's done ... but it certainly is done :)

Honestly, the library/libraries used are kinda moot - those things change all the time (ie, it doesn't matter if it's OpenCV or something else)

Most government-issued IDs are intentionally designed to be very hard to OCR (it's why they have barcodes/etc on them for automated scanning) - and any advances in image processing are more-or-less immediately countered by improvements in ID construction

I know the E-Verify (https://e-verify.gov) service that come businesses use to process I-9 forms (https://www.uscis.gov/sites/default/files/document/forms/i-9...) electronically manages to link SSN, IDs, and other factors to ensure the person filling-out the form matches (as close as can be determined) the data they're filling-in

That's a good point about the OCR obfuscation. I'll try to find some more info about E-Verify- thanks man.
As LinuxBender wrote (https://news.ycombinator.com/item?id=28274924), there are ways to do this

Credit card, SSN/tax ID, scans of Passport/ID card - some of this is done by online-only financial services (eg Petalcard)

There's also tools like DocuSign, multifactor authentication mechanisms (SMS + TOTP app + email, etc)

If the service/tool is only "supposed" to verify certain types of accounts, you might require the use of specific format email addresses, too (has to end .gov, .edu, nytimes.comm etc) - this can lend itself to organizational verification (gonna be harder to spoof (and therefore easier to verify) harvard.edu than blurblebuck.me)