[whatwg] API for unique identification of devices (mobile/tablet/pc)
Lee Kowalkowski
lee.kowalkowski at googlemail.com
Fri Dec 14 04:03:41 PST 2012
On 14 December 2012 08:51, Stan <stasson at orc.ru> wrote:
> First, I don't think it's convenient for users to register themselves
> on many sites, which they visit occasionally.
>
A device ID won't register a user. Where will the profile information come
from? If it comes from a web-based service (like Gravatar), then a device
ID is not required to address the inconvenience, because users will use
multiple devices over time.
I don't think making users register each device would be convenient, either.
> Second, user accounts are based on e-mails as a rule, which is not unique
> at all,
>
If an email address cannot uniquely identify a user's account, that's a
problem with the web application.
> every user can have multiple e-mails and multiple registrations.
A human can have multiple devices.
> Many web-services
> struggle against users' reputation spoofing made via such fake accounts.
>
The information sent to a web service can be spoofed/rewritten on the fly.
Are web services struggling against humans manually creating fake accounts
or against automated systems creating fake accounts?
A human can own a several devices, a determined human can control thousands
more.
A device ID isn't going to be a foolproof countermeasure. An automated
account spoofing system isn't going to have any trouble automatically
generating random device IDs to send to your web service.
> Third, I think it's up to a certain web-service design and requirements,
> if it
> needs to identify user accounts or user devices. For example, usage of
the same profile on multiple devices can be a violation of a web-service
> license agreement
Can you tell me of such a service? I would be so extremely disappointed if
a web service locked me into the first device I used to accessed it. I
would not continue to use it, there would be absolutely no point in
committing myself to use it, too risky.
Only allowing a user to use 1 device at a time is more likely, but that is
trivial already, you don't need a device ID to enable that. The web
application just needs to store session IDs against users in a 1-to-1
ratio, so if a user logs in on a different device, the other device loses
its session, so only 1 device can be used at any moment.
> or a web-service may bind several devices to the same
> profile.
So that would permit concurrent access, device ID would not be useful there.
> Multiple browser profiles on the same device do not matter, because
> the same device ID will be returned.
That's a bold assumption. Perhaps "Multiple browser profiles on the same
device do not matter, IF the same device ID is returned". It wouldn't be
inconceivable for one profile to have a browser plug-in installed to
manipulate the device ID.
Moving from one device to another,
> or virtual devices - is just the same thing as having multiple devices
> considered
> above.
>
Is it? How? They would return different device IDs, so how is it just the
same thing?
> The main point, if device ID could be available it would provide more great
> possibilities for users and web-services.
>
Such as? It sounds like a device ID cannot possibly be guaranteed to be
unique, at all, therefore serves no benefit. A web application needs to
maintain its own user session state, there are no short cuts, improvements
or simplifications such as trusting a client-provided arbitrary value, even
systems based on personal digital certificates have to be verified
server-side (e.g. was the certificate issued by a trusted authority?).
--
Lee
More information about the whatwg
mailing list