Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

agency-proof user authentication #5

Open
ruebezahl opened this issue Mar 18, 2011 · 8 comments
Open

agency-proof user authentication #5

ruebezahl opened this issue Mar 18, 2011 · 8 comments
Labels

Comments

@ruebezahl
Copy link
Contributor

we need a form of user authentication which is at least mass-subscribing and government-agency-proof.

following design suggestion: every user has to submit a picture with him holding a sign.
on the sign written is some text generated individually by the signup-form, and his location

@tsujigiri
Copy link
Contributor

As I find this very creative (no sarcasm intended), personally, I prefer some kind of captcha.
I like this one: http://random.irb.hr/signup.php :)

@ruebezahl
Copy link
Contributor Author

don't agree. a captcha doesn't protect you from sophisticated attacks and has severe downsides in means of usability and ease of use (meaning: it is no barrier, if you have the resources, and no, you don't have to be the NSA for doing this)

@nullisnil
Copy link
Contributor

I like the captcha, but the one liners are pretty easy to solve using a simple OCR.

Personally I would not like to upload an image. There are many generators for this on the net.

What about doing captcha by knowledge e.g. asking for the latitude/logitude, zip code, location name and location admins possibly with a simple captcha like recaptcha. Current weather at the user location, something like this.

To keep away the mass registrations.

@tsujigiri
Copy link
Contributor

Who looks at all the pictures (we do hope it is going to be a lot, right?) and how do you decide whether they are "authentic" or not?

@ruebezahl
Copy link
Contributor Author

what about this: we require a picture of the measuring-device and some written text the signup-form generates? this is the only valid assumption we can make about users: they own a certain measurement device... if they are legit, they should be able to take a picture of it.

@ruebezahl
Copy link
Contributor Author

@tsujigiri we do - if we don't, we put all data credibility at risk

@nullisnil
Copy link
Contributor

this is much better IMO. It would be possible to use the location data in EXIF, if existent, to compare it to the location entered. lets say +-100km or something like this.

@ruebezahl
Copy link
Contributor Author

@nullisnil and it would be possible to automatically check the timestamp in EXIF, too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants