Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 6 of 6
Like Tree1Likes
  • 1 Post By TheGAME1264

Thread: User authentication

  1. #1
    Junior Member
    Join Date
    Jul 2013
    Posts
    9
    Member #
    36890

    User authentication

    I need help in coming up with a way that will allow a user to register on a site I'm designing but never to be allowed to register under a different name, email address, etc. I'd like to use their date of birth and last 4 of their Social Security number to verify themselves or something as stringent as that.
    Does anyone know how I might do so?

    Thank you

  2.  

  3. #2
    Senior Member Webzarus's Avatar
    Join Date
    May 2011
    Location
    South Carolina Coast
    Posts
    3,322
    Member #
    27709
    Liked
    770 times
    #1. You can't use SSN ( even the last 4 ) as a form of identification ... ( not in the US anyway )... And any personally identifiable information must be handled within specific guidelines ( meaning it cannot be stored online )... So its useless for any kind of authentication.

    #2. If they happen to give you some sort of information, most all of it can be faked if they want to re-register with a different name.

    that being said, the only thing I have seen that had some level of success is a phone verification system. User enters a phone number, the computer uses a VoIP calling system that calls the user, gives them a verification pin ( spoken )... Then the user, then has to enter that pin to verify. If the number has already been used, they are given a number to call to "talk to a real person"... Which usually entails a postcard verification ...

    when you throw that many loops at people, only those that truly aren't trying to pull something will follow through.

  4. #3
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    Even the phone verification can be worked around to a degree. If a user's on a VoIP system or has a cell phone plan with some providers, it's often easy enough to change the phone number on it. I could go into the web portal for my cell phone provider and change the phone number associated with it in about 45 seconds, and I'm on one of the budget Canadian carriers.

    About the only way youcould do something like that is if you did something along the lines of Twitter and Facebook do in certain circumstances, which is to force people to verify who they are by scanning in a piece of government-issued identification (at least in the case of Facebook...I'm not sure about Twitter) that states you're who you are. Personally, though, I wouldn't recommend that approach because it's incredibly invasive. I happen to know of the Facebook verification process because I was forced to go through it to continue to use the site...several people had set up fake accounts, so Facebook suspended all of them until one of us (i.e. me) could stand up and say "I'm the real me." I would never have given them my ID normally, but I needed to administer client Facebook pages that day, so FB had me over a barrel.

    What I want to know is why you'd want to go to that kind of trouble to verify a user and whether it's worth it to both you and them.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  5. #4
    Junior Member
    Join Date
    Jul 2013
    Posts
    9
    Member #
    36890
    I have an idea for a web site that, in my opinion, needs the validity of each user to be verified. The Social Security dept. has all SSN's on file and offers a service to validate that info to potential employers or something along those lines. I think the user would understand the need to validate their identity in some manner based on the idea of the web site. Without some type of validation the idea is of no use. I do agree that scanning is overkill and a royal pain. I still think the last 4 of ones SSN could be used with something else that would verify the authenticity.

    Credit card companies and others have my SSN, how do they try to protect that information? I hear almost everyday of someone hacking into another account and getting SSN's of a bazillion people. No one ever seems to go ape about it. Its becoming almost not news anymore.

    I appreciate your input and guess I must continue to try to figure some manner of identity verification that isn't too intrusive and doable.

    Thanks again








    Quote Originally Posted by TheGAME1264 View Post
    Even the phone verification can be worked around to a degree. If a user's on a VoIP system or has a cell phone plan with some providers, it's often easy enough to change the phone number on it. I could go into the web portal for my cell phone provider and change the phone number associated with it in about 45 seconds, and I'm on one of the budget Canadian carriers.

    About the only way youcould do something like that is if you did something along the lines of Twitter and Facebook do in certain circumstances, which is to force people to verify who they are by scanning in a piece of government-issued identification (at least in the case of Facebook...I'm not sure about Twitter) that states you're who you are. Personally, though, I wouldn't recommend that approach because it's incredibly invasive. I happen to know of the Facebook verification process because I was forced to go through it to continue to use the site...several people had set up fake accounts, so Facebook suspended all of them until one of us (i.e. me) could stand up and say "I'm the real me." I would never have given them my ID normally, but I needed to administer client Facebook pages that day, so FB had me over a barrel.

    What I want to know is why you'd want to go to that kind of trouble to verify a user and whether it's worth it to both you and them.

  6. #5
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    You also need to remember that identity fraud is a big issue. Granted, I don't know what your idea is, but I can't think of a single non-government-related idea that would require that level of verification from the users of the site. Since you're on here, I'd have to presume you're not talking to government agencies about your idea, which means your idea is probably private sector.

    Based on that, if you asked me for my SSN (or in Canada, SIN), I'd probably tell you to go pound sand. If you asked me to "validate my identity" using something personally identifiable, I'd probably tell you to go pound sand. I wouldn't be the only one, either. You might find a segment of the population that would give you that kind of info, but I'd be willing to bet money the majority wouldn't. Like WZ said, you might not be performing a legal search. The first thing you should do is either seek proper legal advice or phone the US Social Security Administration and get clearance first. But knowing government agencies, you're going to have to go through some serious red tape and in this instance justifiably so.

    Contact Social Security By Phone

    If you're in any way familiar with PCI compliance, you would need to hold yourself to PCI standards or higher in this case; even though credit cards aren't involved, this is still highly sensitive information. If you're not, learn it and learn it hardcore to protect yourself from liability. Servers are going to need to be kept up-to-date, your code is going to have to be pretty much airtight, you're going to have to make sure you take steps to protect the data itself, any employees you hire will have to sign the appropriate legal documents stating they're going to have access to sensitive information and that they're not going to do anything, etc. and so on.

    in other words, you had better be 100% sure that this is a really good idea, it's needed, and there's a market for it. If there's any doubt in your mind whatsoever pertaining to anything that I've just said, don't do it because you're dealing with personally identifiable information.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  7. #6
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    One more thing...as far as "trying" to protect information goes, I don't know where you're hearing what you're hearing or reading what you're reading, but it sounds like you're sensationalizing a small sample of misinformation.

    What you need to realize is that the credit card companies themselves can only go so far. The burden of responsibility of protection lies on either the merchants themselves who process the cards or their payment processors, depending on how the cards are processed. If the merchant hosts its own payment pages, the merchant is responsible; if a payment processor hosts the payment pages, the payment processor is responsible. That's where PCI standards come into play...merchants are held to these standards, and they're incredibly stringent. I have a client who was found not to be PCI compliant and it took me 12 days to help get it to the point where it now is...for the next three months until the next scan.

    If you're reading about people getting access to credit card numbers, I can pretty much guarantee you having worked for a company outsourced by banks to process transactions that it didn't come from them. You don't even get into the building without a magnetic key card, and you have to go through a background check before you're hired. The "leaks" are probably on the merchants.

    I'm not sure what you can use for identity verification, but the point is that the more personally identifiable that it is, the higher a standard you're going to be held to.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 04:49 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com