How to make certain somebody is real?
I am currently working on a project where individual authenticity is the key - or to put it in plain English - where you cannot pretend to be somebody else. And that is not easy.
I have simply not been able to come up with a way for me to validate that people really are who they say they are. Especially not, since it is a non-profit project, and thus leaves out credit card validation.
Help!
I am putting this out in the open. What do you think? Is individual authentication possible on the internet? Is there a way to remove the frauds?
Comments
Thomas Baekdal - Aug. 30, 2008
Morgan, that is interesting... but... how do I know that the mobile phone is the property of that specific person?
Could I not just say that my name is "Joe Smith" and this [number] is my phone number, giving them my number - not the number of the actual Joe Smith.
(of course, what makes it worse is that there can be many Joe Smiths).
I have also been looking into OpenID, until I found out that it does not prevent people from appearing to be sombody else. They cannot take on the identity of another open ID owner, but they can take on the identity of a non-openID owner (and that is nearly everyone). And, OpenID does not prevent people to create an openID under a false name. Just create a blog on blogger, using any name you like - and then that is also you new openID.
The internet seem to lack the ability to say "I am me"
Kevin Cannon - Aug. 30, 2008
Credit Card is probably the only way.
Some places do a small charge of 50cent to authenticate people like this.
The only other way is probably to need people to send in a copy of their passport or photo ID or something. This isn't wholly an Internet problem, think about what you need to verify your identity when you open a bank account, or join a video store.
Ali Servet Dönmez - Aug. 30, 2008
My suggestion (eventhough it sounds a bit mind blowing complicated, but that's the way humanbeing and their relations are really) is to make up a service where you connect every (possible) social platform out there in order to create an id-node for someone who wishes to be recognized (authenticated) as him self.
Once that someone creates his own id-node, this node will know about any other id-node connections that he is connected with (his friends, colleagues, dad, mom, what or whom so ever...), which would create an much bigger id-web.
This way you won't be able to say "this is me and I am who I say I am" (which you could easily cheat on), but instead you'll be able to say only "this is who I propose who I am and you'll see that these people will confirm that". If everything goes allright his id-web will confirm that he really is who he says he is and he will be recognized in an indirect, but natural, manner.
Isn't this how things are really going, or similar, on the real world? I never ever had to enter my username or password in order to get into my friends' houses and do what we like...
What you think?
Mark - Aug. 30, 2008
I worked under similar circumstances once (non-profit org, *had* to verify that users were who they said they were). Our solution? Send them the usual username & password by email, but that was only valid for 1 month. At the same time, we send them a verification mail via snail-mail, that included a link for them to type in, and a verification code. Only after that was entered was the user allowed to continue using the service. If the user didn't enter his/her verification stuff, all their posts were put on hold until they verified themselves via the snail-mail verification code.
Thomas Baekdal - Aug. 30, 2008
Kevin & Mark, I am getting to about the same conclusion myself. But I think it would put people off if I were to as for their credit card info, or sending them snail-mail. Maybe I could mix it with donations. Something like "get authenticated by donating a dollar".
Ali: That would indeed be a great thing. I have been thinking about something like that myself. Using the collective power of our "online presence" as way to authenticate yourself is indeed interesting - although a bit hard to do for this project.
It could be further expanded by creating a place for people to manage their online presence... I have been thinking about having a central place, from which you could manage and authenticate yourself. Regardless of what site you happen to be on. To prevent fraud a one-time token would be used to submit comments, signup for services and buy products.
Alin Hanghiuc - Aug. 30, 2008
quote: Is individual authentication possible on the internet? Is there a way to remove the frauds?
Sorry, but imho it's not possible.
Gautch - Aug. 30, 2008
One thing google does is creates a random alpha-numeric string of characters. Then you have to make an HTML doc with those characters in it and name the HTML something specific. Then upload it to your server (of which only you would have access to) then google searches your server for that HTML file.
Some thing like this would work. Something like an intricate CAPTCHA. Instead of having to fill in a blank on the site and make it match a CAPTCHA, maybe they have to upload a file some where else that has the answer. Basically your "Joe Smith" has to do something that only that specific "Joe Smith" could do. Then your system could search for it to validate.
Just a thought. Though all this talk makes me see an idea for a website brewing.
-Gautch
Tom Klaasen - Aug. 30, 2008
If I'm not mistaken, GPG has the concept of "network of trust": you know me, you say you trust me. I know Fred, I say I trust Fred. Now you can be sure that Fred is really Fred (since you trust my word on this).
The whole concept can be extended by government officials ('notarissen' in Belgium) to sign a document that somebody is who she claims to be, but that gets complicated.
Maybe GPG is a bit too far-fetched for your project, but it gives you _a_ way to identify people.
Read more on this on http://www.gnupg.org/gph/en/manual.html#AEN346
Thomas Baekdal - Aug. 30, 2008
Though all this talk makes me see an idea for a website brewing- Gautch
Me too... I think there is a potential goldmine here - if we could just get everyone to agree on a standard. It doesn't even have to be centralized. It could be a completely dezentralized system - similar to OpenID.
BTW: About the HTML file. Good idea, except that few have a website. It is relatively easy for Google, because that is designed specifically for website owners.
Tom, That is another very interesting concept. I didn't know about that one.
--
I must admit that I find this both to be absolutely frustrating (because it should be a simple thing), and yet also a very interesting problem.
Gautch - Aug. 30, 2008
"...because it should be a simple thing..."- Thomas
In this case the fact that this problem isn't easily addressed shows its not a simple thing. Otherwise it would have been done by now. Think about it, how beneficial would this actually be? It would be HUGELY beneficial. Matter of fact if i could prove i was who i said i was with out using my SS#, Bank Info, a credit check or other personal info i would most certainly use it!
Simply, you would have to have a piece of info that only "John Smith" would know. You would then also have to be able to check that in fact your "John Smith" is the only "John Smith" that would know this info. Not so simple.
"...and yet also a very interesting problem."- Thomas
Very interesting problem indeed.
Ali Servet Dönmez - Aug. 30, 2008
I guess this has something to do with our talk here, just for the records: http://identity20.com/
Andrew - Aug. 30, 2008
There are services which ask you questions from your credit report to verify your identity. Canada Post uses it when you set up mail forwarding online.
No idea on the costs involved / the legalities needed to implement it.
Thomas Baekdal - Aug. 31, 2008
Thanks Ali, Identity 2.0 is another interesting thing I didn't know about.
Andrew, Come to think of it, Google AdSense, use the same technique to validate the correct bank account.
One problem though is that while it certainly does confirm that (in this case) the money goes to the correct bank account. It does not confirm that that specific account belongs to me as a person.
but good tip!
Chris Jakeman - Sep. 8, 2008
The public key infrastructure (PKI) looks after this for you but certificates can be expensive. Not many people know there is a free alternative at http://www.cacert.org where they have a selection of mechanisms for proving your identity depending on how sure you need to be.
Hope that helps,
Chris
Thomas Baekdal - Sep. 8, 2008
Ali, news is coming... although slowly :)
Chris, that one is interesting too. One problem though is that CACert is not a recognized as a trusted author=ity by some browsers, and thus comes up with a security warning.
Chris Jakeman - Sep. 11, 2008
Thomas, can you be more specific about "people really are who they say they are"?
"Visitor 25 is the same individual who visited yesterday" is a different problem from "Visitor 25 is Roger Federer who lost the Wimbledon Tennis Championship in July".
Just my thoughts,
Chris
Published: Aug. 30, 2008 in notes
FaceBook
Twitter
LinkedIn
YouTube
Flickr
Morgan Roderick - Aug. 30, 2008
If you're willing to spend a little, you could do some sort of verification via mobile phones. Google does this when you register your business on Google Maps, and it's pretty user friendly.
People are less likely to use throw-away phones than throw-away e-mail adresses... but, it all comes down to "how real" you need people to be.