how to verify a user identity?

Mouth said:
Lets not re-invent the wheel, or increase costs from having to use SMS gateways, etc.

http://code.google.com/p/google-authenticator/ sounds ideal to have implemented as an Add-On !?!
Click to expand...

This is great if you want to add two-step authentication to your application for existing users; however, it's not a great way for restricting a device to a single account or trying to perform some type of verification for new accounts. Also a no go if you use SAML SSO.

Shamil said:
Anyone with Facebook use their two-step verification system?
Click to expand...

I have. It's not so bad if you always have your phone available, and don't regularly try logging in from new devices. You only need to supply the security code (sent as a text message to your phone) if you try logging in from an unrecognized device (e.g., a new laptop).
 
Yer, I dropped the Google two step id process for that reason... constantly changing devices was a nightmare... every time it forced a new authentication, then returning to my main system, again, because I used another... and round it went. Turned that off quick smart.
 
Jason said:
This is great if you want to add two-step authentication to your application for existing users; however, it's not a great way for restricting a device to a single account or trying to perform some type of verification for new accounts. Also a no go if you use SAML SSO.
Click to expand...

Lets remember that the OP was asking about user confirmation via phone during registration, only! There was no mention/request about ongoing logon verification, or single account restrictions. For confirmation via phone during registration, a Google Authenticator add-on/hook would be ideal.
 
erich37 said:
Thank you very much for your thoughts Anthony!
This is actually what I was thinking, but you are right it is difficult to start off with a small site this way. But I still prefer quality over quantity.......
Click to expand...

Its a chicken and egg situation though, most people I know tend to look at a forum's stats before they sign up. How busy is it, how many members does it have. Then if you start to ask for paypal / card details / cell/mobile numbers its going to put people off.

What may be an alternative is to have a 2nd tier of account that they get promoted to if they prove their ID. That way people on the site can see if a user is on this 2nd tier of membership and know that they can be trusted slightly more than someone who's just a general member.

Afterall, if they're serious, they will want to confirm their ID and get promoted, but it won't turn them off from joining the forum in the first place.

Just one point though, confirming a phone number doesn't mean that they're not a scammer though, not when you can pickup a sim these days for pence and without a contract - all it proves is that they have a mobile phone, nothing more.

PayPal is better, but its only of use if a) they have a PayPal account and b) if it has a confirmed postal address in it.

Confirming ID online is a bit of a nightmare really, unless you're something like a bank that can confirm offline information as well as online (e.g. Utility statement). As ideal as it sounds, I can't see people sending in scans of their passports to you.

In the UK you could use a Credit Card payment gateway to authorise a payment using the card holders' address details - at least this would confirm their address. But obviously, even this isn't foolproof, not to mention an expensive solution.

Good luck anyway :)
 
Anthony Parsons said:
Yer, I dropped the Google two step id process for that reason... constantly changing devices was a nightmare... every time it forced a new authentication, then returning to my main system, again, because I used another... and round it went. Turned that off quick smart.
Click to expand...

Indeed. If you're constantly logging in from different devices, it gets tiresome quickly.
Mouth said:
Lets remember that the OP was asking about user confirmation via phone during registration, only! There was no mention/request about ongoing logon verification, or single account restrictions. For confirmation via phone during registration, a Google Authenticator add-on/hook would be ideal.
Click to expand...

That was pretty much my point. If you're performing phone verification then it's likely you're doing so because you want to ensure the person registering is actually, well, a human. That system is useless if you don't restrict a device (phone) to a single account. Besides that, Google Authenticator is designed to be opt-in, and for those who desire two-factor authentication for their existing accounts. It is not an ideal way of providing some kind of phone verification system for registration -- you don't even need a phone to use it.
 
Something to think about is the relative easy and access to disposable/burn phones these days. I've pointed that out to a few clients I've been consulting for on security matters.
 
ManagerJosh said:
Something to think about is the relative easy and access to disposable/burn phones these days. I've pointed that out to a few clients I've been consulting for on security matters.
Click to expand...
Yeah, as I mentioned above - sims are so disposable these days, it offers little in security really.

The only way to do it really I guess would be to do what Google does when you submit an entry to Google Places - it sends a card to the postal address with an authorisation code on it, this code is then entered into the system to confirm the account.
 
MGSteve said:
Yeah, as I mentioned above - sims are so disposable these days, it offers little in security really.

The only way to do it really I guess would be to do what Google does when you submit an entry to Google Places - it sends a card to the postal address with an authorisation code on it, this code is then entered into the system to confirm the account.
Click to expand...

I forget sometimes our European counterparts are exclusively GSM Mobile Phones where as the here in the United States we have both GSM and CDMA, both which are readily accessible.
 
ManagerJosh said:
I forget sometimes our European counterparts are exclusively GSM Mobile Phones where as the here in the United States we have both GSM and CDMA, both which are readily accessible.
Click to expand...
Well, you know, you Americans have to do things your own way, even though the rest of the world is happy with GSM ;)
 
Have you heard about TeleSign’s 2FA system? Their identity verification software sends a call or SMS with a one-time verification code to the user’s phone that he or she has to enter on to the website and get his identity verified. There’s no set-up or additional hardware required to use TeleSign’s phone verification system. Why don’t you check out the product demo on their website?
 

Similar threads

oO5 Dynasty
Add-on Is their an add-on that will verify a users identity like LinkedIn?
Replies
10
Views
392
oO5 Dynasty
oO5 Dynasty
Blockhead
Add the ability to verify a XenForo license by the website URL
Replies
1
Views
821
Chris D
Chris D
LPH
ob_start in foreach loop, how to verify this is correct?
Replies
4
Views
4K
masterking
masterking
HSP
How to verify someone is not using a nulled forum
Replies
6
Views
5K
HSP
HSP
AndyB
cURL question, how to verify if URL is valid
Replies
5
Views
8K
AndyB
AndyB
Top Bottom