: Account suspension on SMS Hy Hello all, I have an idea to implement but I hate to copy if it is been used by any other website(s). My idea is about suspending an account using text SMS.

@XinRu657

There are some attractive aspects to your implementation, however, it fails to meet the most basic security requirement: by default, do not allow unauthorized users access.

A "do you want to ban whomever logged in?" query assumes that, by default, the user is not banned - an ignored SMS means that the unauthorized user had access to the account.

The better default: send an SMS whenever a login is attempted from an unrecognized host and require that the authorized user enter a code from the SMS to complete the login process (this process has the added benefit of preventing an unauthorized user from accessing the account while notifying the authorized user that someone is trying to log in).

Gmail, for one, implements SMS in this manner.

Vote Up Vote Down

@Pope3001725

I've never heard of it being used. It sounds like a good optional feature for high risk websites, such as Poker Websites, Bank Websites, Stock trading sites etc where large amounts of money can be drained relatively quickly.

However for most applications it's probably overkill and will increase the amount of time you will spend doing support for people who don't quite understand it etc.

Be careful about guarantees as well, if you offer this service, someone gets hacked the SMS doesn't send/is delayed then you may be liable for any theft/damages.

Good innovative idea though in my opinion, but too risky/overkill for 99.99% of people. Those 99.99% of people should just invest that time in making sure their systems are really well implemented and secure.

I suggest to you to make a technical demo and write about it, how you implemented it, what pitfalls you have found, it could make for a really interesting and popular read.

Vote Up Vote Down