|
|
|
|
|
|
by tzs
360 days ago
|
|
|
Add 3. Not allow someone who gets both (1) a log of authentication provider transactions, including timestamps, who was being verified, and whatever output the provider generated, and (2) a log of the website's age checks including timestamps, website accounts, and whatever proof was provided to match them up to associate real IDs from the authentication provider with website account IDs. To make this work I think any such system will need to be so widely used that there are hundreds or thousands of verifications happening every second at each authentication provider and typical users get verified many times a day, and there should probably be some random delays introduced by the user's computer. Otherwise it could be too easy to unmask people by looking at verification timing. If you are trying to unmask a user who verified through provider P and P only did a verification for one person that day it is very likely that is the person you are trying to unmask. |
|
|