How can websites verify unique (IRL) identities?

Submitted ⁨⁨9⁩ ⁨months⁩ ago⁩ by ⁨danzabia@infosec.pub⁩ to ⁨technology@lemmy.world⁩

I was reading the comments about Iris scanning and Reddit, and came to the conclusion that they want to be able to present to investors and advertisers that it isn’t just LLMs talking to each other. Therefore they want to verify their users’ identity.

I would never give over biometric data like this due to privacy/security/anonymity concerns. However, I was curious if people could describe what the alternative would or could look like? I think Switzerland is working on something like this. Is there a safe and private way to verify that I am in fact a real human on the internet? Thanks for your wisdom.

source

Comments

Sort:hotnew top

hperrin@lemmy.ca ⁨9⁩ ⁨months⁩ ago
Safe, yeah. Private, no. If you want to verify whether a user is a real person, you need very personally identifiable information. That’s not ever going to be private.

The best you could do, in theory, is have a government service that takes that PII and gives the user a signed cryptographic certificate they can use to verify their identity. Most people would either lose their private key or have it stolen, so even that system would have problems.

The closest to reality you could do right now is use Apple’s FaceID, and that’s anything but private. Pretty safe though. It’s super illegal and quite hard to steal someone’s face.

source
IsoKiero@sopuli.xyz ⁨9⁩ ⁨months⁩ ago

Is there a safe and private way to verify that I am in fact a real human on the internet?

In Finland we have this thing called ‘mobile verification’ which I use almost daily. It’s a service where my phone number is verified to my identity in a secure manner (via multifactor bank account on my case but there’s multiple ways to achieve that verification) and it works as an “middleman” where I can just click an icon on a website, feed in my phone number to the identification service, check MFA on my cellphone and then I’m shown a web page where the identity provider shows what information is delivered to an original website. Most of the cases, at least on my usage, it sends out my social security number, so that I can access my invoices, sign legal documents, check my tax forms or whatever I’m doing but the underlying system can provide pretty much whatever data they have stored. There’s no technical reason why it couldn’t be used to verify that I’m an actual human being too.

Say, if that was used in Lemmy (unlikely as the service costs something per each verification), identity provider would just send to my instance that I’m an actual human being but nothing else. The instance could then store that data and show a pretty blue checkmark next to my username without any personal data from me.

source
orclev@lemmy.world ⁨9⁩ ⁨months⁩ ago
Safe and private? Nope absolutely impossible. If you don’t care about privacy at all pretty much the only way to do it is to have your government issue you a unique hardware token and require that to access the internet and it shares your unique ID with the website. It’s not 100% impossible to spoof an identity as you could borrow/steal someone elses token, but if they were secured with a pin/password or basic biometric it would become significantly harder.

source
caoimhinr@lemmy.world ⁨9⁩ ⁨months⁩ ago
ID card with chip + card reader over here. Or alternatively an app you need to activate first using said ID card. Used for everything from filing taxes to requesting official documents from your commune.

source
- Kyrgizion@lemmy.world ⁨9⁩ ⁨months⁩ ago
  This will be mandatory before the end of the decade.
  
  source