I would like to ask for any suggestion how to reliably block user on iOS and Android, so that if i block his registered account, he cant just create new one. In the app i am working on, its rather important to make sure that the blocked users cant use the app again.
Solutions i considered:
1) Use phone number for verification. Phone number can be blocked so that user would need new phone number to register new account again. Problem is that phone verification is paid with all services i considered ( firebase, twilio ). Since the app is free, if the userbase would get larger, i would not be able to financially support it ( something like $0.06 per verification ).
2) Device ID. Use device ID to block the device. From what i read, it seems its prohibited and cant be used like that. Thats specified by Apple, or so i heard.
3) Itunes / Google Play account email. Is not possible to obtain it seems.
There is no foolproof way to achieve that.
Using the user's phone number or physical address (eg send him a card with a code) is not free and as you said, it can add up if your base grows.
You might consider asking your users to photograph / upload their identity card and make sure the name on the card matches the name they give during the registration process, but that is not entirely foolproof either (they could ask a friend / neighbour). Nevertheless, this might be the cheapest / most secure solution (but it could alienate a portion of your users). You could also ask, in addition, to upload a utility bill with the user's name on it, but again... that will only work if people really want to use your app.
Good luck! Just remember even Amazon can't do it 100%.
You can recognize and ban a mobile device access to your server by its Wifi or Bluetooth MAC Address.
Related
Does anyone have any thoughts on how to build a user profile system on a site that is so secure that there's absolutely no way to figure out that person's identity; while also allowing them to reset their password?
Don't want their email
Don't want a phone number for SMS
Don't want to use the social media platforms to authenticate
Cannot use secret questions because they forget their own answers
Cannot use a TOTP app on a cell phone because people lose/break their phones (and some still don't have a cellphone)
Cannot use a cookie on their device because it isn't universal across phone/laptop/tablet, and they break their devices
Cannot fingerprint their browser agent, ip, etc, because the users access the site from multiple systems, from multiple different IP's. There are also multiple users logging in from the same home computer.
Cannot issue them a physical token because cost, and, they'd lose them
Has anyone figured out an identity broker system that isn't associated with big social media? The user could register their identity stuff with the 3rd-party broker, and the broker just gives me a key to identify them? That is free for everyone to use? Kind of like the GPG key ecosystem...
Looking for ideas. How can I register an account for you, but no matter how hard I try, I never have any data that I could use to Google you?
I would like to capture the "computer name"/"device name" of the user. (Ex: Joes-iPhone) It seems like a nice touch to be able to see what devices have connected with the users login so they can see if there is unauthorized access to their account.
Over and over I see people say this is impossible from a web page for JavaScript, HTML, PHP, etc. Yet when I log into my bank, Facebook, Google. Low and behold, there is every device I've connected with. This means it is most definitely possible.
There was one instance where one of my accounts was logged into by someone and this was a big help in identifying what was going on and I love this feature now. I would like to implement this but am stuck in a city full of dead end roads!
Does anyone have any knowledge of how they are accessing this? Or even theories? I don't care what language or technique.
I'm very curious to see what people come up with. I do have an app for Facebook, so I could see the app accessing it and storing it for the browser site, but I have no app for the bank or Google and I have devices listed in Facebook that were not used within an app, only through the browser. To my knowledge I have never authorized any access to anything beyond what the browser is capable of, so there must be something I'm missing.
Short answer: It's true, it can't be done.
But why not??
Your device name is used when your device connects to your router -- but that's where it stops. Your router doesn't allow that information to be broadcast any further. When your computer/tablet/phone requests a web page, your router is the one actually asking for the page -- and he refers to himself by his public IP, which is shared by all the devices on your LAN.
Second-Best
What can be seen by external Internet entities is your user-agent (the type of browser you're using), which can give someone a pretty good idea of what operating system you're using, and therefore what sort of device you're on (mobile vs. desktop/laptop, Windows vs. Mac, etc.). The user-agent info is available as a string, and can be accessed by PHP via the $_SERVER['HTTP_USER_AGENT'] variable.
The PC name is only accessible through LAN (another PC connected to the same modem/router), if such a request hasn't been blocked on your PC. It is not distributed by browsers.
What browsers transmit is the browser info and operating system as well as the IP address. That's all. Some sites allow you to give a nickname to each machine so you can identify them, and they can then use cookies to remember which is which.
EDIT: The only thing I can see is that they could be using Java or Flash to do it.
I believe some users on my site are using IP masks to create more than one account. Due to the nature of my site/game it's against the rules and I need to remove players like this.
I currently track their IP, host, browser type and such with PHP, I also use javascript/jquery to get their screen size. I also have a little script set up that tells me if their coming through a forwarding service. It says this certain player is although his IP doesn't match any proxy lists I've come across.
Basically I'm looking for any other info I can collect that I can compare and determine if a suspect player is actually another players second account. Any suggestions?
The only thing i can think of is using telephone number as part of subscription process. And sending some sort of verification code via SMS.
Also you can start setting cookies.
And is it possible to imagine some sort of detection as part of your game/application. Like you add some game elements that would expose suspects to some secret knowledge. Setup honeypots. Like you show some secret 'cheat' codes or specific link/location to one suspected double and not to the other. Then if the other tries to use that info - you got him... Basically build some sneaky intelligence into your app
Combining these with all the other detection techniques, could make it very close to 100% bulletproof and can be a lot of fun.
There are other topics like this but none of them completely answer my problem.
I'm making a website only accessible for a small group of users. (like one team)
Now they should all have the possibility to go to the website and see information for them personally. And that without having to log in. Simply said: How to recognize a user without Login.
The problem is, those users will access that webpage 99% of time with their phone.
That means they'll access it trough WiFi OR 3G network making their IP not constant and in my opinion useless to track. Then I thought about the mac address, that's one thing that stays stable. But internet suggests it's not send to browser and so "unable to track".
Questions:
Is it really impossible to track a phones mac address or does a backdoor thing exist? (javascript/php/cookie/...). I do not want an app because the phones work on lots of different platforms.
Is there any other value or constant that I can use to identify a user without login?
You could login via PHP-parameters,
so the user can save a link like that to his bookmarks:
intranet/login.php?user=vincent&pwhash=8fe4c11451281c094a6578e6ddbf5eed
You should use localStorage - that way your user can just login once into your website and then onwards you can always get/set that value.
That's impossible to get the user mac address so don't bother yourself to do some magic to get the mac address of someone's mobile phone. Well based on experience we developed device finger printing or DFP and gathered as many info as we can from the users namely external IP, browser info such us prefererred language, user-agent, etc., screen resolution, geolocation etc. Then out of that info we have some algorithms to make a scoring schemes or matching schemes then store the info to our database. Every time a user visits the site we gather again the info then match it to our records. For example user1 is then determined if he scores more than 90% matching to our records.
Our company makes the web based application which is priced per workstation.
That means that user/pass credentials should only be used from one particular machine.
Currently what is happening that several users are sharing credentials and we do not have any way to prevent this if they are not doing it concurrently.
The nature on the application is such that user needs to use it once in a while so the inability to work concurrently does not bother the users much and the company loses it's possible revenues.
The application currently is purely AJAX without flash/activeX/Java applets.
The ideal solution would be to read the computer name or IP address of the client with javascript using "Shell.Network" scripting interface.
But this is impossible because of the strict security settings in Internet Explorer. I have to mention that cross browser functionality does not matter and the only browser supported is IE.
Searching google I came across this solution here http://www.reglos.de/myaddress/MyAddress.html but it requires JAVA applet so will not be very convenient.
Are there any other solutions for this?
Your licensing model is not consistent with the delivery model. Change one of them.
Set a cookie on the machine with an id. Retrieve the cookie each time the user logs in. If you see several different cookies alternating for a single user you know you've got something odd going on.
(Of course a single switch may just mean they've moved to a new PC as one off. )
Alternatively, price per usage, 'query' or some other item.
This kind of abuse can probably be detected moderately effectively using the Cookie technique that RichH suggested. At least blatant abuse can be detected quite easily (say 10 licenced users, 100 real users).
But of course, don't lock the user out, just monitor the situation and get your Sales people to call up suggesting that they buy more licences.
We do exactly the same (in terms of licensing and delivery), and I'm sure that you have good business reasons for not changing your model.
Track through sessions per user. Do not allow multiple sessions to a single user. To achieve this you will have to save the session ID into the database and check everytime a user logs in.
To help users who at times have a browser crash and relogin with new session, allow them to sign out their previous session... so you can kill the old session and instead register the new one.
Hope this is useful.
There's no easy answer as your clients (the software) are effectively anonymous and the users are self-identifying.
For IE "locking you out" (I'm hardly an IE expert), but can't the IE settings be set for particular domains? You could simply make it a requirement that the users configure their browsers to give your app superior access.
I don't see any reason why you can't have certain requirements for the users browser (i.e. only IE 6/7/8, these security settings, etc.).