"Approving" the users machine like Online Banking websites do


I need to find a solution to prevent users from sharing their login info, since my new project is based on paid membership. To that effect I need to identify a user's browser or machine to make sure they are the original registrant.

Commerce Bank, Bank of America, etc. all use some kind of "fingerprinting" to mark my browser as "approved" to use their website. If I try to login from another machine or a browser, they ask me to prove to them that I have the right to login into their website as the user I claim to be.

How do they do this? I think their solution could work for me. How would I go about implementing it on a C5 site? Any ideas?

Thanks in advance!

View Replies:
JohntheFish replied on at Permalink Reply
They will typically be setting an encrypted cookie on the browser that is checked when a user logs in. If the cookie is there and matches a reference copy, they get straight in.

If not, they give the user a hard time answering questions to prove who they are.

This all has to be weighed against convenience for users. While we usually appreciate the security of getting the third degree from our banks, for other sites such extreme security is less tolerated and may even be castigated as an invasion of privacy.
thebogdan replied on at Permalink Reply
Granted, there is NO convenience to users. However, if membership fees are what pays for the development of the project, what other options can I consider? (BTW, this is not rhetorical, I'm actually looking for ways protect the investment.)

Any ideas are welcome!
jvansanten replied on at Permalink Reply
Banks use that method because it is critical to maintain the security of accounts. FB also uses this to reduce the possibility of someone hijacking an account.

I don't know of any other sites that have such protection, though I'm sure there are.

Most membership sites simply expect a certain level of "noise" -- users using registered users credentials. And, in a lot of cases, it gives people the ability to "test-drive" the site, and allows them to create a membership.

The more you can customize the features of a site to specific users, the less likely people will want to share their credentials, and the less likely outside users will find it of value.

Just some thoughts. An awful lot of membership sites function quite well without that kind of protection.