19

I am working on an online job application web app and the question has come up about how we will verify that someone submitting an application is who they say they are.

For example, we don't want Jon Smith submitting an application for Abe Miessler.

We talked about making people create profiles on our site in order to submit an application, but in reality this would only require that they have an email address.

When I have seen this done in the past, the organization verifying already knows about you. For example, to create an online account with your bank you may need to know your SSN, Mailing address and account number. The bank can then compare what you entered against what they have in their record to see if you are who you say you are (in a perfect world).

In my situation I know nothing about who is applying so there is nothing to verify against.

Are there any standard approaches out there for establishing that someone is who they say they are?

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • 11
    The mail dude freaked out when I did that last time. – Abe Miessler Aug 24 '12 at 22:56
  • hah okay 1+, that was funny. – rook Aug 25 '12 at 01:11
  • 4
    Why is there a need to verify at application time? Usually, this sort of detailed verification is done later in the interview/hiring process. Also, keep in mind that using some forms of verification this early in the process may run afoul of employment discrimination laws; of course this depends on your location, but it is something else to keep in mind. – Thaeli Aug 27 '12 at 01:50
  • Interesting note: Germany has this new ID card which can also be used to verify your identity over the internet using a special card reader which is being sold cheaply and a software called the AusweisApp (https://www.ausweisapp.bund.de/)... You can't expect it to be there today but in a few years you may be able to expect that lots of people have the card readers for that... Just as an FYI, here the country tries to accomodate for that. – sinni800 Aug 27 '12 at 03:33
  • 2
    +1 to @Ian. Discrimination laws aside, some people have privacy concerns as well. For example, when I fill out paper applications that request it, I always fill my Social Security Number in as "Will give if hired". – Iszi Aug 27 '12 at 19:55

6 Answers6

21

Identity is a malleable concept with an irksome tendency to morph whenever you look at it too closely. What I understand from your description is that you want to be able to track back some actions (i.e. "applying for a job") from a random network user back to the actual individual, in such a way that, should the job application be fake in some way, you have enough leverage to appropriately punish the perpetrator. Or, more accurately, you need to convince a priori the users that you will be able to track them down and, at least metaphorically, break their kneecaps.

Whatever the way you take the problem, part of it lies in the "physical world" (outside of the computers) so it is going to be hard and expensive.

The complete theoretical solution is to have some detectives do the tracking, which is feasible for the Long Arm of the Law but usually not for private business entities, because basic "network users" are identified solely by the incoming IP address, and to link that to a physical identity you must have a look at the ISP log files -- which requires a warrant, or indelicate accomplices. This is said not counting issues with connections from foreign countries (once you know that the connection came from China, well... you do what, exactly ?).

Thus, due to the impractibility and cost of true detective work, you will have to leech on an existing infrastructure which provides the authentication you need. My first thought is about banks. It goes thus: have job applicants pay you a minute sum (say 0.01$) with their credit card (or through Paypal or any other similar banking system). This has several benefits:

  • The payment operation leaves traces in many places.
  • Since a transaction was implied, it could help to legally qualify fake job applications as "fraud" (ask your lawyers, they will tell you that this is very good, with a gleam in their eye and a bit of frothing).
  • Credit card numbers are routinely stolen but you can get insurance against that.

and, last but not least:

  • People (at large) already know that "you don't mess with the banks". This makes the detection system proactive (you would like to authenticate people, but, even more, you would really prefer that they do not try to lie in the first place).

A conceptual note: as you say, you "know nothing about who is applying". That's the root issue: how can you define a proper identity notion if there is nothing to identify (to be precise, you do know something about the applicants: their IP addresses; but that's not much). Hence the path to the solution: have the applicants commit some information about them. This is what the banking solution explained above is about.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
6

You can piggyback off someone else's identity verification.

For example, to piggyback off banks verification procedures, you can ask the user for a Credit Card number that has their name and billing address, then credit a small randomly chosen amount to that credit card in the local currency, and ask them to tell you how much was credited as proof that they have access to that account.

Mike Samuel
  • 3,873
  • 17
  • 25
  • only problem I see here is that a spambot repeatedly asks for verification, thus stealing the money (not the same Ian that posted above, btw) – Ian Aug 19 '14 at 19:00
5

Actually an interesting question for that type of site. I was reviewing a similar application where there was the option to submit resumes online - including references. A profile had to be created to register for the site - but as all this required was an email address, the controls around it were very limited. The point was made that malicious person 'A' could submit person B's resume with a reference pointing at their current employer. This would then get person B in trouble with their current employer when they were contacted for a reference. Not sure there is a good answer because it is part of a wider question about online identity in general which I suspect is going to become more and more crucial as time goes on. For example - do I need to register my email address with every conceivable provider and variation on my name in order to protect myself against reputational damage if someone else tries to create an address for me and uses it for dubious purposes? If I am actually John.Smith@hotmail.com - what is going to stop someone else registering John.Smith@gmail.com and masquerading as me? And then how about social networking if someone creates a Facebook profile in my name and starts putting content that is not related to me on it?

Marion McCune
  • 161
  • 1
  • 3
3

You can verify users against their phone number. Telephone is one of the most commonly used authentication device for identity verification. TeleSign offers a range of phone-based identification and authentication products. Why don’t you browse through their website to get familiar with some of their products? They even have demos on their website that you could check out!

John White
  • 31
  • 1
-1

That's hard.

I know about the idea to verify a user with the help of the way he writes (how fast he writes and where he paused etc). There is the theory that everbody got it's own style in writing on a keybord just like your handwriting. Sure, one could copy this as well, but therefor one must know about this "feature" first. (Security by obscurity is bad, i know ... but it's worth a try)

So maybe you can use the way one writes his username as verification?

But you can never be sure. :(

J M. B
  • 1
  • 1
  • I remember, but don't have time to look for references, instances where typing cadance has been tested as a second factor for authentication. The trick is getting that data in the first place. – Scott Pack Aug 29 '12 at 14:33
  • @ScottPack Also known as a privacy vulnerability in server-side completion (e.g. Google suggestions). That's not so good as an authentication factor since it can be eavesdropped on the wire, even over HTTPS (there's a lot of noise, but with enough HTTPS captures of you typing, the attacker should be able to convincingly emulate your typing habits). – Gilles 'SO- stop being evil' Sep 24 '12 at 17:48
-3

Take the photo of applicant via webcam using action script or silver light script and send to your server with submitted application.

open source guy
  • 1,909
  • 9
  • 25
  • 27
  • 5
    If the user can forge content on a web form, then they can forge a photo. You don't even need technology. Print out a photo and hang it in front of your web camera. – Mike Samuel Aug 26 '12 at 20:32
  • @MikeSamuel Agreed that forging would be a distinct possibility. But a photo hanging in from of a web camera, yeah, I'm sure *that* will look totally real and everything. – Atsby Jul 16 '15 at 17:50