agency-proof user authentication

[ruebezahl]

we need a form of user authentication which is at least mass-subscribing and government-agency-proof.

following design suggestion: every user has to submit a picture with him holding a sign. on the sign written is some text generated individually by the signup-form, and his location

[tsujigiri]

As I find this very creative (no sarcasm intended), personally, I prefer some kind of captcha. I like this one: http://random.irb.hr/signup.php :)

[ruebezahl]

don't agree. a captcha doesn't protect you from sophisticated attacks and has severe downsides in means of usability and ease of use (meaning: it is no barrier, if you have the resources, and no, you don't have to be the NSA for doing this)

[nullisnil]

I like the captcha, but the one liners are pretty easy to solve using a simple OCR.

Personally I would not like to upload an image. There are many generators for this on the net.

What about doing captcha by knowledge e.g. asking for the latitude/logitude, zip code, location name and location admins possibly with a simple captcha like recaptcha. Current weather at the user location, something like this.

To keep away the mass registrations.

[tsujigiri]

Who looks at all the pictures (we do hope it is going to be a lot, right?) and how do you decide whether they are "authentic" or not?

[ruebezahl]

what about this: we require a picture of the measuring-device and some written text the signup-form generates? this is the only valid assumption we can make about users: they own a certain measurement device... if they are legit, they should be able to take a picture of it.

[ruebezahl]

@tsujigiri we do - if we don't, we put all data credibility at risk

[nullisnil]

this is much better IMO. It would be possible to use the location data in EXIF, if existent, to compare it to the location entered. lets say +-100km or something like this.

[ruebezahl]

@nullisnil and it would be possible to automatically check the timestamp in EXIF, too