> -----Original Message----- > From: Connie DeCinko [mailto:[EMAIL PROTECTED] > Sent: Saturday, April 23, 2005 2:08 PM > To: CF-Talk > Subject: RE: login issues > > How about checking for concurrent logins? Seems to me that more often > than > not, if people are sharing passwords at some point they will be logged on > at > the same time. Then disable that account for abuse.
Connie's right - this is really the only way to be "sure". You might then ban their account until they change their password or call a service center. Another bunch of ideas: +) The only "real" way to do this (and it's not applicable to most sites) is to use two-factor authentication. A smart card or electronic token issued to only the account holder works wonders - but are pricey to implement. +) You might implement a random password change policy. This has less affect on security than many people think (since people tend to just add an incrementing number to the password) but might annoy sharers to some extent. +) Implement a random identity check. When the user registers ask them for answers to half a dozen basic questions (mother's maiden name, first pet's name, favorite singer, etc). Then, perhaps every third or fourth login, also demand the correct answer to one of these questions. +) You might ask for more specific information that you already have - as a random security check ask people for the last four digits of the credit card they used to get in, their SSN or their student ID. +) You might make the service more personalized in some way that also makes it hard for two people to share things. For example while they might work on their tests online perhaps the results are only emailed to them. There's a fine line between annoying to "good" users here, but there may be steps in that vein to take. (I once worked on a child-development page. Parents would fill out development profiles for their kids and get activities and advice aimed at them. Although you could have multiple child-profiles the site assumed the kids were siblings and presented information in that way. Although you might share the account with somebody else it would detract greatly from your experience.) All of these ideas might be implemented only if your IP/session logger determines that there might be a problem with sharing. Sure you'll catch some "good" people, but they should be able to easily pass any of the tests. None of these ideas will prevent sharing - all they'll do is make it annoying to do. Lastly you might offer some incentive to either share "better" or not at all. If you don't already give discounts to those that refer new customers (perhaps to the extent that somebody that refers, say, five people gets free access). You might also allow people to add more people to their account at a discount or for free with the caveat that people from the same (discounted) account can't be logged in at the same time (this would allow people to share costs and save money but shouldn't increase your load). Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:204125 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
