Reputable external web sites list (for profiles verifying identity)

***** Reputable external web sites list (for profiles verifying identity)

May 5, 2022

unsure if this is the proper thread, happy to have this moved or another thread started.

I invited a friend from France. Her phone number format does not match the US format. This led me to think of different ways to verify identity.

After reading Tim’s reply to my question. Now, I wonder if verifying telephone numbers is enough. And, here are some additional thoughts.

I wonder about additional ways of verifying Identity ?

Ways of creating security:

--- verifying phone number (Tim is already doing)

--- requiring invitation from a group host, who is a group host

--- two points of contact are required to send an invitation. By “point of contact” I mean an email or phone number.

–- the invitation link and codes are sent from the empathy.chat website

--- the invitation link and codes can’t be seen by the person sending them from the website. Only the person receiving them can see the information, so they can go to the website and enter them for verification.

--- have the group host, record a voice/video message. When the invited person goes to the empaty.chat invitation page, she/he/they listens/watches the short recording, then is asked to enter the number the person said to in the recording and asked if this is the person you know.

No system is perfect. Once a hacker has one way of contacting, the hacker can ask for a second way and give a second way of contacts. Or, the hacker could put in two email/phone numbers to get the link and code. Then, copy them to another email. Hopefully, the needed step of getting more contact info will deter or help people notice there is a problem.

How much security is needed ? We are not selling anything or exchanging money on the site. What is the balance of safety and allowing people to join ?

A process for verifying identity thru requiring two points of contact.

“EC” stands for EC website

“em/ph” stands for an email or phone number

Overview of process:

Step 1

– member sends invite thru EC website, invitation and confirmation codes sent

– person being invited receives information, goes to website and enters confirmation codes plus em/ph she/he/they received the information from

Step 2

– person being invited their own confirmation codes to group host thru empathy.chat site

– group host goes to EC website and enters the confirmation codes and the em/ph that she/he/they received the information from

----------- Step 1

The group host goes to the invite page. The first em/ph is used to send the link. The second em/ph is used to send the confirmation code. The confirmation code is auto generated, with only a few characters and is not visible to the group host. The code is inside the sent em/ph’s.

Another option is group host records voice or video. The video has the person saying a 4 digit code and inviting the person to join the group.

The person receiving the invitation link, uses the link to go to the membership invitation page.

The person types or copy/paste this information into page

– the confirmation code in the em/ph

– the em/ph that she/he/they received the confirmation code from

– the em/ph that she/he/they received the invitation link from

Person hits enter, the website checks that the inputted code and inputted em/ph’s match empathy.chat records. Also, that inputted em/ph for code 1 matches the em/ph that sent it, same for the link.

If information matches, we could add a brief voice/video recording of the person inviting the person to join. Then, ask the person, “is this the person you know ?”

If information does not match, including code in audio/video message, then the person receives a message saying “information not matching records, please re-enter”. The Person can edit information and hit submit again.

If information matches, including code in audio/video message, then the person is asked questions 1 and 2.

Question 1 “Were you surprised by the invitation because you were not expecting it ?”

Question 2, “Did you receive the confirmation code and link thru the same email/phone numbers ?” options to click are yes or no or unsure

If person answered no to both questions, then person is sent to step 2

If person answered yes or unsure to one or both questions, sent to warning page

Warning page :

Based on your answering (state answer) to question 1 and (state answer) to question 2, there is concern that the person’s account, who sent you the invite, has been hacked or taken control of by someone else.

Please contact the person, NOT using the email or phone number, that you received the invitation link and confirmation code thru. If the account is hacked, those em/ph are being used by the hacker.

These are indications that the group host is NOT following empathy.chat procedures for inviting new members.

--- you were surprised to receive the invite, because we expect the group host to get to know a person before inviting them

--- confirmation code and link were sent on the same email or phone number, because epmathy.chat process requires confirmation code and link to be on separate email/phone numbers

--- the email that provided the link and or confirmation code is not from empathy.chat, because empathy.chat requires the email comes from emapthy.chat

--- the phone number that provided the link and or confirmation code is not from empathy.chat, because empathy.chat requires the link and or confirmation code come from an empathy.chat phone number

Options:

[click here] I am stopping the invitation process to check out what is going on and to confirm who sent the invitation. If clicked, message appears on screen, “Thank you for supporting the security of the website”

[click here] I have used an em/ph that was not used in the invitation process or in some other way have confirmed that the invitation is valid. The account is under the control of the correct person. Person is sent to step2

--------------------- STEP 2

The person, who received the invitation, is asked to provide an em/ph for sending a confirmation code. Then, the person is asked for a second em/ph to send a second code. Then, the codes are sent by empathy.chat. The confirmation code is auto generated, only a few characters and not visible to the person who received the invitation.

The confirmation codes are inside the sent em/ph. There is no link included, since the person receiving these codes is already a group member.

The group host receives the information and logs onto her/her/their empathy.chat account, then enters the information.

The information entered is:

First confirmation code

em/ph that person received first confirmation code from

second confirmation code

em/ph that person received second confirmation code from

Person hits enter, the website checks that the inputted code and inputted em/ph’s match empathy.chat records. Also, that inputted em/ph for 1st code matches the em/ph that sent it, same for 2nd code.

If the information provided does not match empathy.chat records, then give the message “information does not match empathy.chat records, please re-enter it.

If the information provided matches records, we have a new member.

The assumption is the person, who is invited, has two ways to contact the group host.

I'm reluctant to add additional security measures at this point because I think the ones already in place are pretty demanding. But I am planning to adapt these ideas to create a new, more secure way for group hosts to invite members to their group (via a list of email addresses).

This response doesn't feel adequate to convey my appreciation for the thought you have put into this comment. Please at least know that it deeply met my need for shared reality to see you thinking through the specific steps, the algorithm, needed in the detail required to code it into the website. That's something I find difficult and tiring to do, and it often feels like unseen, unappreciated work--not apparent when you go to a website and it just works.