What is User Verification, why I need it?
This is a typical client server model that your server is using. This model is a distributed communication framework of network processes among service requestors, clients and service providers. In this model, your server handles all user requests, including user verification, form processing, account management, and application services. Of these, user verification and form processing are the trickiest. Why?
First, let's talk about user verification. User authentication is a prerequisite for processing user requests. It includes, Human-verification, and Me-verification. Human-verification process guarantees the request is human operation, not computer operation. Me-verification process guarantees the request is my own operation and not someone else's.
- Why do we need Human-verification, and what if not?
Simply put, you will be vulnerable to spam attacks. If there is no Human-verification. The form data you receive may be computer-generated, not written by someone manually. If your server receives a large amount of spamming data in a short time, your form processing will crash. Then, your database crashes. And in the end, your server goes down.
How do I do Human-verification? In fact, there are few options. All that's left is Google reCAPTCHA. If you are a webmaster, you may already be familiar with reCAPTCHA, but you may not know some countries don’t support the service such as China, you have turned away at least 20% of the world’s readers if you use it. If you are a client, you must have a deep understanding of it. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart.) is based on Turing-test. It's energy-consuming, time-consuming, and annoying.
Is your server ready for Human-verification?
- Why do we need Me-verification, and what if not?
Protect servers from spam attacks and avoid attacking others for being cheated.
Your server should have the ability to protect user data from illegally obtained or tampered with. Therefore, when transferring and modifying user data, it must be confirmed that its operation is indeed himself/herself. If there is no Me-verification. Your server may incorrectly transfer and modify user data. For example, during the registration process, send a message to an unverified mailbox.
How do I do Me-verification? In fact, there's no way, except to choose our method. Why? Let’s take a look at some of the current so-called Me-verification methods. The common approach is to send a security code to the user's registered mailbox. That's how Hotmail, is. Furthermore, it is to send a text message containing a security code to the user's registered mobile phone. Google, PayPal uses this method. In fact, neither method is safe Me-verification. For example, when they do user sign up process, they either send a registration confirmation email to an uncertified mailbox or send a confirmation message to an uncertified phone. Sending mail or text messages to uncertified mailboxes or mobile phones is not secure and sometimes illegal. If the user inadvertently or intentionally fills in the wrong email address or phone number, the consequences can be severe. More seriously, if your server is without the Human-verification feature, then your server will spam thousands of mailboxes or mobile phones. The consequences are terrible.
Is your server ready for Me-verification?
How it works?
EC verifies customer (client) via receiving email from customer. Once email is verified by EC, EC will notify merchant (your server) via sending ICN message to ICN listener URL. Merchants create an ICN listener page on their website and then specify the URL of the listener page in their EC account profile. EC then sends notifications of verification results to that URL. The ICN listener detects and processes ICN messages using the merchant backend processes. The ICN listener page contains a custom script or program that waits for the messages, validates them with EC, and then passes them to various backend applications for processing.
So, merchant can maintenance account management processes including register, login, reset password, change email, add second email etc. without sending any email. Customers can completely lose their passwords because the authorization process based on email without the need for a password.
Please keep in mind that it is unwise to send mailbox confirmation message to an unknown mailbox at the time of registration. If you encounter a malicious trap, it will be dangerous.
Using ICN in your control flow
Although EC usually processes ICN messages immediately, ICN is not synchronized with actions on your website. Internet connectivity is not always 100% reliable and ICN messages can be lost or delayed.
Because ICN is not a real-time service, your control flow should not wait for the ICN message before it is allowed to complete. If the control flow is dependent on receiving an ICN message, processing can be delayed by system load or other reasons. You should configure your control flow to handle a possible delay.
ICN (Instant Control Notification) based on email
Instant Control Notification (ICN) notifies websites almost instantly about user control events, such as:
- Login to EC.
- Submit form.
- Control events.
Websites can use their backend processes to act based on the information they receive. For example, they can:
- Trigger register fulfillment.
- Trigger login process.
- Trigger changing main email process.
- Trigger adding another email process.
- Update their customer list.
- Controlling terminal devices.
- Update devices status.
Integrating EC to your server is simple and fast. We provide sample code that makes it easy to upgrade. At the same time, our technical team can provide strong assistance.