User flow for user registration by 3rd party

#1

I am building a product where we register the user on his behalf and would send him his profile link. His profile data is sensitive and would not want it to get accessed by anyone other than him - in case the email and mobile no. entered by us while creating his profile is wrong.

We will be sending him his profile link via email and SMS. I would like him to verify himself and also set a password.

Any suggestions of a flow/examples of other products that register candidates on their behalf and the user needs to verify himself before getting access to the profile.

0 Likes

#2
  1. When the user is sent a link ONLY a temporary user record is created in your system. This is to avoid situations where wrong email Id or Phone number was used to create a profile in your system.
  2. User receives a link via email or SMS that asks him to create a user Id & password (not just password).
  3. User creates a user Id & password. The system converts the temporary user to an active user.

A lot of systems follow this pattern where a user account is created by an Admin on behalf of the user. One example is Salesforce.

0 Likes

#3

When the admin has created the account, they would be filling in important confidential information of the user. The temporary account can be claimed by the wrong individual(in case the email was wrong) which would give them access to someone else’s confidential information.

In any case if the email or mobile no. is wrong, the conversion of temp to active would not be of the intended person right?

0 Likes

#4

True. I am curious about the context.

In this case I’d restrict the visibility of certain confidential information when the account is claimed (i.e user Id & password is created). As a next step you could do 2 things:

  • Pose few questions related to the profile (like security questions) which only the right user should know. If he answers correctly you open up access
  • Offline verification by making a phone call & somehow verifying. Or how HDFC bank allows you to reset password using your Debit Card number & PIN.
0 Likes

#5

That is interesting. I think most banks use this mechanism for creating a profile. I have also seen a similar mechanism on trading apps created for investors. Websites and apps created for poker players do the same. I think email and SMS might still breach security if you get both or either of this wrong.
Quick food for thought though: Instead of sending a link of the profile to the user, is it possible to send a link to your product page? and then on the product page you ask the user to enter the phone number or email or both, and then send them a OTP which lets say expires in 10 mins or even 5 mins. And restrict the number of times an OTP can be sent. Say a max of 2 times.
But this is very interesting.

0 Likes

#6

@primukh26 Really like the idea of inviting people to a page where they are asked to enter phone number or email. However, if they received the link via email/phone that info is easily available so won’t solve the original problem. But may be we could ask the user to enter the phone number when the link was sent via email. Obviously this assumes the system has both email & phone number.

0 Likes

#7

@rohitshukla So lets say you create a profile for customer named John. Now John’s profile is ready and you want to send it to him. Before John asked you to make the profile, he would have tried to reach out to you in some way, (that gives you the opportunity to store the person’s email id or phone number and an answer to a randomly selected question).
Now that the profile is ready, lets say you send out a message to John either on his phone or his email, saying “Hey, have a look at your new profile” or something like that, and have a button(in the email) or a link(in the SMS) that would direct John to your landing page. On your product landing page have a button that says “Click here to view your new profile”. When John clicks this button, he is sent an OTP and two textboxes are displayed asking to enter the OTP and the answer to his question(which you would have collected in the beginning). Once he does that he has access to his own profile.
So then that way they are not receiving a direct link and its secure.

What are your views about this?

0 Likes

#8

@primukh26 The flow you described is how I was originally imagining the use case. However, it seems @rohanaranha is describing a scenario where the profile was created without the user initially being involved. And his concern (that he’s looking to solve) is what if the email id/phone number on the profile was incorrect? In that case a wrong person (whose phone number/email was incorrectly entered) could gain access even using the OTP approach you suggested.

I imagine this can happen where a bank agent filled a credit card application on your behalf & accidentally typed your phone number incorrectly.

0 Likes

#9

The flow I was thinking of was to ask the user to verify his DOB on the platform in order to gain access to his profile.

The chances of the admin of entering a wrong email id/mobile no.(single letter/no. error) and the unintended user know the intended users DOB are very slim. For now I think this should solve the issue. Post implementation I will study the data and look at other possibilities if required.

Thanks for the help guys! :smiley:

0 Likes