Verification mechanism on registrations

[cristianourban]

Hi,
I would like to ask you if there is the possibility to introduce a verification mechanism (like captcha codes, for example) for both account registrations and event registrations in Indico.

This feature would be really appreciated for research institutions that lean on an internal mail server in order to avoid several issues related to submissions coming from fake email accounts.

Thank you in advance for your time.

Best regards,

[elvirus-dlr]

We would also love to use this software but in order to secure event registrations from fake accounts and bots we would love to have this captcha feature as well. Is it possible to implement it into the registration process? Maybe as a form element? The I would be able to drag a new "captcha" form element into the registration form if I want to have it.

The second security related feature request would be a double opt in. If I am not mistaken, then everybody could impersonate any other person with registration in public events because there is no e-mail opt-in. Say, f. i. I could register as some other guy I know the name and mail address of. I am immediately registered. But for security reasons, I should confirm the registration by clicking on a confirm link sent via e-mail.

Is here anyone reading this to help me out with some info? Can those features be implemented into the application or am I even able to it myself by developing a plugin?

I would love to hear some response!

Best regards,
elvirus

[ThiefMaster]

(Only commenting on the event registration part since account creation should be a separate issue anyway as these two things are not related at all)

In 3.2 one could indeed write a plugin to add a captcha field! Not sure if this should be a plugin though, I think we should include this in the core...

Just wondering, how much would settings like this already help?

• "Only allow your own emails" - this would turn the email field in a dropdown where you can only select emails from your Indico account (which are already known to be verified)
• Require email verification - this would require any new email address (ie one that's not on your own Indico account) to be verified before you can submit your registration (so basically what you call "double opt in")

IMHO this would actually be more user-friendly than a CAPTCHA:

• Everyone hates CAPTCHAs
• Bots are getting quite good at breaking most CAPTCHAs
• The halfway decent CAPTCHAs require you to use third party companies (reCaptcha etc.) that collect data
• Having a verified email is useful in general

[elvirus-dlr]

Thank you for your reply.

You got me with your list against captchas. I totally agree with you on your points. I personally hate them so much. Maybe this is just a requirements thing for the pm guys. It sounds nice if you could say "we are protected against bots with our captcha mechanism". But as for now, we have this requirement.

And also the double opt in.

All other requirements are met by Indico and we are on our way to using it if this "double opt in" thing would be incorporated. This is seen as a must have. I am working for the German Aerospace Center (DLR) and we would like to have it on board. I will clarify if the captchas are a must have. Maybe not. I will see.

The settings you proposed for event registration would help a lot and would totally suit our needs.

Best regards,
elvirus