Hacker News new | ask | show | jobs
by laumars 2993 days ago
I can think of a few ways it makes it harder for the good actors just from an initial scan of the site:

* It's an additional service that people need to discover / learn and sign up for

* It's not free. While the cost might seem cheap for people like ourselves in well paid jobs, not everyone has a disposable income. Anyone in poorly paid jobs / unemployed, expensive bills or family etc wouldn't want to or even might not be able to afford such a service

* It requires people pay with a bank card, which excludes anyone who doesn't have a bank account / credit card (only a small group of people but they do exist). It also excludes anyone who doesn't feel comfortable with entering payment details online (I personally only use PayPal these days on all bar a very small handful of sites)

* I also don't trust handing "identity token" over to that site any more than I trust Facebook. What happens if/when they get hacked? Will they then have my bank card details? Will the be able to use my identity token to access other sites? These points matter to me because I know nothing about the company and they are gearing themselves up for being an obvious target for attackers.

So in summary there is no such thing as a perfect solution. By making it harder for bad actors you're going to make it harder for at least some good actors as well. That is an inescapable truth.
1 comments
realpeopleio 2993 days ago
> I also don't trust handing "identity token" over to that site any more than I trust Facebook. What happens if/when they get hacked? Will they then have my bank card details? Will the be able to use my identity token to access other sites? These points matter to me because I know nothing about the company and they are gearing themselves up for being an obvious target for attackers.

A RealPerson code is not an access token. It's a unique code generated for a particular website. It's more like a coupon code and RealPerson.io will tell a website if it's valid. The website still handles creating the account and authentication etc., like it has before and does it however it wants, using whatever authentication it wants. But now the website can make a backend call and ask RealPerson.io if the code given is valid, meaning someone (who knows who) generated a code for this site. That's it. Then the website can validate that no other user has used that code when signing up on their website. The website doesn't know what account on RealPerson.io has the code. The website doesn't know what other websites the user uses (the codes are unique to each website). So RealPerson.io just knows codes and websites, and websites just know if the codes are valid. Nothing else is shared.

Stripe processes the payment and credit card details are not stored in RealPerson.io. There are no identity tokens to steal. You have codes but you generate those on demand when you are signing up on websites. Once they are used, then there's nothing more you can do with them.

RealPerson.io doesn't have any personal details on you besides the payment token from Stripe. No bank details. No usernames or passwords for other sites. No usage on other sites.

link