Re: Authentication of remote users

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 04 Jan 2008 14:54:05 EST, Joel Rosenblatt said:

> Joking aside, this is a really hard problem to solve and I don't think that
> I've seen a really good answer for this yet.

One needs to keep in mind that perhaps "really good" isn't required here, just
"good enough".  For instance, if the user is "remote" and can't come in person,
it may very well be "good enough" to get a fax of the ID - although that may
indeed not prove it's the person, it proves the person has possession of the
ID.  And if the real user dropped his wallet somewhere in Rome, what are the
chances that the person who picked it up will have any interest in hacking
into your site?  Remember - we're not talking about a Visa card that has some
rather general usages.

Yes, it's *possible* that the pickpocket in Warsaw is an alumnus who is still
upset about that failing grade he got 20 years ago and recognizes that
obtaining an active account is the first step towards hacking in and fixing the
grade he got, but at some point you really have to say "What are the
*realistic* chances?"...

Attachment: _bin
Description: