Project of The Sunlight Foundation    
The Open House Project from The Sunlight Foundation
Technical Challenges of Communication: Authentication The newest advocacy org.: the Oversight committee

Communication: Authentication Part II

October 10th, 2007 by Joshua Tauberer · 3 Comments

The problem of authentication is basically this: how can we off-load the problem onto someone else that’s already doing authentication? I suggested last post charging credit cards using some credit card charging service that happens to verify billing addresses too (and, as Oxa pointed out in the comments, it’s fairly disenfranchising, although to be honest I don’t mind—Internet communication is already disenfranchising). Two more methods to consider are off-loading the verification to the postal service, or to the individuals.

Sending postcards to verify addresses– The recipient has to type in a random code in the postcard to verify that he got the postcard, i.e. that he’s at that address. (Oxa mentioned this, and I’ve seen it elsewhere.) I didn’t mention it because I assumed this would be too costly. Actually, that may not be so true. I’m just ballparking, but if the overhead of a credit card purchase is around 10 cents, and it costs 41 cents to mail a postcard, that’s not soooo different. But mailing a postcard has some additional overhead (printing the postcard (automagically), and manually schelpping postcards from a printer tray to an outgoing USPS mailbox). I also found a service that will verify phone number-address pairs, which is actually pretty close to what is needed — at around 40 cents per verification.

However, even these methods don’t get you all the way, because in fact we need more than address verification. We need verification or at least assurance that the person hasn’t verified before. You could limit the number of verifications per address, but there are some technical problems with that. The credit card method has the advantage that an individual can only verify as many times as the number of credit cards that he has, and that’s usually pretty limited.

There’s another route to consider, but this is a route tried before with no success as far as I’m aware. You can off-load the authentication problem to the users by creating a web of trust. User A does the work of authenticating users B, C, and D, User B authenticates E, F, and G, etc.. And then one just has to worry about how much you trust a small number of root users, rather than the whole community. But I don’t know if this has ever been a practical solution to anything.

Tags: OpenHouse · communication

3 responses so far ↓

  • Oxa Koba // Oct 10, 2007 at 3:56 pm

    The “web of trust” concept is interesting (reminds me of Jyte.com) but I have never scene it applied to any practical end. Rather it tends to appear when minimal trust in loose social communities is needed. To sort out humans from spam bots for example.

    Part of this conversation to me is the over manner in which government interacts with citizens. In the physical world, drivers licenses, passports, birth certificates and social security numbers are relied on to “prove” identity for access to government information and services.

    While they often represent a burden for citizens and can be frustrating at times when an agency requires several separate forms of identity to cross reference, the system seems to work reasonably well.

    Is there a way to leverage one of these existing id documents? Would the creation and management of an OpenID type service anchored to one of these existing systems be too burdensome for the respective agency.

    For example, a large number of institutions, both government and private, use the SS# as a means to certify identity. Does the SS Administration already provide an electronic system for authenticating these SS# based requests? Or is this pretty much the credit card oriented system you where describing?

    The reason I offer the SS#, DL# or some such state issued document is because voting age citizens already have these items in order to function whereas a credit card, though possibly simpler to leverage as an existing authentication system, is not government issued and relies on private organizations.

  • Rob Pierson // Oct 11, 2007 at 4:19 pm

    Another interesting authentication system is the one used by google to be able to change info on your business in their database. With their system they call your place of business using VOIP to verify. Very cheap, but not everyone has a phone and the phonebooks can be out of date. Still, though, it’s an interesting solution.

  • John Wonderlich // Oct 29, 2007 at 11:50 pm

    I’m not sure if there’s another place I should add this, but I just came across a british site that is using this sort of authentication, via snail mail. see the following: http://www.digitalgov.com/works.html

Leave a Comment