Authenticating someone's identity
Moderator: General Moderators
-
Donny Bahama
- Forum Newbie
- Posts: 18
- Joined: Wed Mar 22, 2006 2:48 pm
Authenticating someone's identity
OK, here are the guidelines...
You need to give "Mr. X" access to some confidential documents, but you don't have contact info for him, specifically. (Mr. X doesn't know you and is not expecting your message, but your message is provocative and compelling enough that it *will* get his attention.) You do have an @ddress for Mr. X's secretary/assistant, but you don't want the assistant seeing the confidential docs. You send an email saying, "Please pass this on to Mr. X" along with a link for Mr. X to click.
When Mr. X arrives at the page you linked, you need to confirm that it IS Mr. X (and not his secretary).
A couple additional rules to this little game...
1. Mr. X doesn't have a public php key
2. Voice verification (i.e. by phone) is not an option, nor is a face-to-face meeting.
3. Mr. X isn't the most patient man in the world... the authentication process needs to be simple, easy, streamlined or Mr. X might just say, "Screw this. I don't have time for this crap."
You need to give "Mr. X" access to some confidential documents, but you don't have contact info for him, specifically. (Mr. X doesn't know you and is not expecting your message, but your message is provocative and compelling enough that it *will* get his attention.) You do have an @ddress for Mr. X's secretary/assistant, but you don't want the assistant seeing the confidential docs. You send an email saying, "Please pass this on to Mr. X" along with a link for Mr. X to click.
When Mr. X arrives at the page you linked, you need to confirm that it IS Mr. X (and not his secretary).
A couple additional rules to this little game...
1. Mr. X doesn't have a public php key
2. Voice verification (i.e. by phone) is not an option, nor is a face-to-face meeting.
3. Mr. X isn't the most patient man in the world... the authentication process needs to be simple, easy, streamlined or Mr. X might just say, "Screw this. I don't have time for this crap."
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Authenticating someone's identity
Unless you have some kind information that only Mr. X will know, I don't see this as being possible in any secure fashion.
Will be interested if someone can suggest something otherwise.
Will be interested if someone can suggest something otherwise.
-
Donny Bahama
- Forum Newbie
- Posts: 18
- Joined: Wed Mar 22, 2006 2:48 pm
Re: Authenticating someone's identity
Nope, nothing like that.John Cartwright wrote:Unless you have some kind information that only Mr. X will know
How about, then, in a semi-secure fashion? Here's a possible example. The linked page says...I don't see this as being possible in any secure fashion.
At this point, Mr. X fills in his @ddress and clicks submit. The new page has an input field (for an authentication code) and instructs him to check his email, and do *not* navigate away from the current page. We regenerate his session ID, hash it, and I get an email with his @ddress and two links (one for approve, one for deny). I hope for something obvious- "misterx@hotmail" = good, "bob.jones@wherever" = bad. If I click the deny link, bob.jones gets a nasty email full of legal threats and verbiage. If I click, approve, we email Mr. X the authentication code (his session id, hashed).By continuing, we will be issuing an SSL certificate that will be installed in your browser. Please note that under U.S. laws regarding computer encryption, it is a federal offense to make false or misleading statements when obtaining a Class 1 Security Certificate. We already have your IP address and other personal identifying information. To continue, you will have to provide a valid email address. If you are NOT Mr. X, you should leave now. Any attempt to fraudulently impersonate Mr. X will be simple to track and we WILL prosecute to the fullest extent of the law.
Mr. X gets the email, copies the code, pastes it into the form and clicks submit. We confirm that it matches, then generate the SSL client certificate and redirect him to a secure page where his certificate is used to authenticate him. Now he can see what we need him to see.
Providing a reasonable deterrent (in much the same way that the lock on your front door keeps reasonably honest people out) probably represents an acceptable level of risk. We'd have an IP address, hostname info and a valid @ddress to pursue someone who was trying to perpetrate fraud. Granted, the IP/hostname could be spoofed or proxied, and the @ddress could be a temporary yahoo @ddress generated on the spot, but most of the people I'll be contacting won't be that tech savvy. I could also implement a third security check that looks at the time they first hit the page and compares it to the time they submit their @ddress via the form. If it's more than X seconds (or if their session ID changes because their accessing the page for the 2nd time), we know that they've had the chance to implement a proxy and/or create a temp @ddress.
All this is just kind of "thinking out loud". Maybe it will help you think of something better... or maybe this makes for a good starting point if I just...
-
Donny Bahama
- Forum Newbie
- Posts: 18
- Joined: Wed Mar 22, 2006 2:48 pm
Re: Authenticating someone's identity
Or, to put it another way, what's the best thing you can think of to provide some level of security (or some means of reducing risk to an acceptable level) given the constraints mentioned above?
-
Donny Bahama
- Forum Newbie
- Posts: 18
- Joined: Wed Mar 22, 2006 2:48 pm
Re: Authenticating someone's identity
Here's another thought...
Lots of sites require you to submit a valid credit card in order to gain access, and there's always an accompanying form where you have to enter your name (as it appears on the credit card) and address. When you submit the charge, the bank only approves it if all the info matches.
Of course, Mr. X isn't going to agree to pay for access to some unknown thing from some unknown person - but that's easy. Let's say we credit his account $5. ("Have a latte on us- our way of saying thanks for your time!")
That may not work, either, though... who wants to give their credit card number to any stranger? But maybe if we include a printable contract on the page that states that we do not/will not store the card or address information -- it's used to issue a small credit, then discarded. And maybe we even go to whatever lengths possible to verify for the user that WE ARE who we SAY WE ARE. (But how? Maybe include a phone number for the law offices of our General Counsel?) Hmmmm, seems like we're getting back into a situation where this is just too complicated for Mr. X to bother with.
Thoughts? Comments?
Lots of sites require you to submit a valid credit card in order to gain access, and there's always an accompanying form where you have to enter your name (as it appears on the credit card) and address. When you submit the charge, the bank only approves it if all the info matches.
Of course, Mr. X isn't going to agree to pay for access to some unknown thing from some unknown person - but that's easy. Let's say we credit his account $5. ("Have a latte on us- our way of saying thanks for your time!")
That may not work, either, though... who wants to give their credit card number to any stranger? But maybe if we include a printable contract on the page that states that we do not/will not store the card or address information -- it's used to issue a small credit, then discarded. And maybe we even go to whatever lengths possible to verify for the user that WE ARE who we SAY WE ARE. (But how? Maybe include a phone number for the law offices of our General Counsel?) Hmmmm, seems like we're getting back into a situation where this is just too complicated for Mr. X to bother with.
Thoughts? Comments?
Re: Authenticating someone's identity
Many personal assistants and secretaries have access to and use credit cards on behalf of their owners (boss) and are trusted to do so using their best judgement. They are also knowledgeable about what information should and should not be passed along. They are called "Gatekeepers" for a reason. You'll need to be creative, honest and have something decent to say in order to get past them. But let's say you did... If I was Mr. X, I would find your contact methods to be a bit wacky and refuse to give it any consideration, let alone attempt to prove to you who I am.
I'm not sure you will have much luck with this. Quite honestly something smells here.
I'm not sure you will have much luck with this. Quite honestly something smells here.
Re: Authenticating someone's identity
I agree with Astions here, it's not quite clear why you want to accomplish what you want to do.
Banks use this system to give people their login info for online banking, so if it's secure enough for them it's probably for you.
Maybe I don't understand the issue exactly: if you do have mr X. his name and you do have the address of his office, by definition you have his contact info. You can just send him a physical letter with the information needed to log in your system. In case it needs to be very secure, you can first send a letter with an explanation and his username, and then after that separately a letter with a password. In the first letter you also explain that the password will arrive in the next week and that if it does not, they have to contact the institution to give notice of the fact that the password has not arrivedDonny Bahama wrote:You need to give "Mr. X" access to some confidential documents, but you don't have contact info for him, specifically. (Mr. X doesn't know you and is not expecting your message, but your message is provocative and compelling enough that it *will* get his attention.) You do have an @ddress for Mr. X's secretary/assistant, but you don't want the assistant seeing the confidential docs. You send an email saying, "Please pass this on to Mr. X" along with a link for Mr. X to click.
When Mr. X arrives at the page you linked, you need to confirm that it IS Mr. X (and not his secretary).
Banks use this system to give people their login info for online banking, so if it's secure enough for them it's probably for you.
-
frozenarmageddon
- Forum Newbie
- Posts: 19
- Joined: Wed Aug 05, 2009 6:29 pm
Re: Authenticating someone's identity
I will try to think of something...
Some info that could be REALLY useful is:
How confidential is the stuff that Mr. X is going to see? [An overall explanation what it is could be useful too]
What you DO know about Mr. X? [Everything you know could be used]
Is contacting by FAX is an option?
Does he have a scanner? [for some paperwork verification]
Other stuff you might find useful...
Some info that could be REALLY useful is:
How confidential is the stuff that Mr. X is going to see? [An overall explanation what it is could be useful too]
What you DO know about Mr. X? [Everything you know could be used]
Is contacting by FAX is an option?
Does he have a scanner? [for some paperwork verification]
Other stuff you might find useful...
Re: Authenticating someone's identity
The address is the secretary's, so anything mailed will get opened by that person. As you have no personal information about the user that the secretary wouldn't know, I would consider yourself more or less out of luck.
If you had an email or a cellphone number you could send a message that way, and assume it'll be secure, however I can make a guess that some people whom have secretaries also have them screening their emails. Short of you walking into his office like some clandestine spy, and handing him directly a blank envelope, with the information you have you're out of luck.
No one in their right mind will just hand out their credit card to a random website. I say right mind, not that it's impossible to get someone to do it.
I'm just curious what you are using this for anyway?
If you had an email or a cellphone number you could send a message that way, and assume it'll be secure, however I can make a guess that some people whom have secretaries also have them screening their emails. Short of you walking into his office like some clandestine spy, and handing him directly a blank envelope, with the information you have you're out of luck.
No one in their right mind will just hand out their credit card to a random website. I say right mind, not that it's impossible to get someone to do it.
I'm just curious what you are using this for anyway?
-
frozenarmageddon
- Forum Newbie
- Posts: 19
- Joined: Wed Aug 05, 2009 6:29 pm
Re: Authenticating someone's identity
I just had an idea, it as secure as you can trust that Mr.X that I assume you were emailing with isn't his secretary...
It's kinda based on matthijs's and yours...
And it still can be spoofed by using a proxy.
Send Mr.X an email with a link to a page that asks him to input an email, this will make Mr.X to FEEL its at least somewhat secure. The it will send him an email, with a Username, and say that for security reasons the Password is going to be sent in a few days after making sure that the one who gets it IS Mr.X and tell him that he should not go to the site as if by any chance Validation will fail, he will be noted by email, and spamming the system with verification request will just make it Ignore him.
What the actual validation method is, is logging the IP for the ones who enter the page, and for the ones who get the email sent to.
Reset the log before you send him the link, and after like 48 hours [the more the better] check the logs, if there are more than ONE IP logged, send an email to tell him that Apparently he's not the only one that requested the password, and for security measures, let him try one more time, and tell this time to make sure only he personally writes down the email and asks for it.
If only one IP is logged and is the same for both - Before writing the email and after - then you can assume that the person is Mr.X and you can send him the password.
But the same way you can't really tell that Mr.X IS the one you talked to, so you can't really tell if that's Mr.X that asked for the password.
Hope I helped ^^
Now to run like hell to school before I am late T_T
It's kinda based on matthijs's and yours...
And it still can be spoofed by using a proxy.
Send Mr.X an email with a link to a page that asks him to input an email, this will make Mr.X to FEEL its at least somewhat secure. The it will send him an email, with a Username, and say that for security reasons the Password is going to be sent in a few days after making sure that the one who gets it IS Mr.X and tell him that he should not go to the site as if by any chance Validation will fail, he will be noted by email, and spamming the system with verification request will just make it Ignore him.
What the actual validation method is, is logging the IP for the ones who enter the page, and for the ones who get the email sent to.
Reset the log before you send him the link, and after like 48 hours [the more the better] check the logs, if there are more than ONE IP logged, send an email to tell him that Apparently he's not the only one that requested the password, and for security measures, let him try one more time, and tell this time to make sure only he personally writes down the email and asks for it.
If only one IP is logged and is the same for both - Before writing the email and after - then you can assume that the person is Mr.X and you can send him the password.
But the same way you can't really tell that Mr.X IS the one you talked to, so you can't really tell if that's Mr.X that asked for the password.
Hope I helped ^^
Now to run like hell to school before I am late T_T