Why have a login/password?

[Gooser]

Our company is builing a website that will accept applications for inspections (physical inspections of properties.)

My gut tells me we need login/password authentication for this system, but the VP of the company says we don't need it, and the users will avoid the website if they have to register. Rather than fill out the form online, they will just call customer service and make them do it.

Isn't there a strong risk of attack if we allow anyone who can get to the website to fill out the application?

What is my best argument?

v/r

Gooser

Why do today
that which may not need to be done tomorrow --me

The Universal Model

 

[maczen]

Gooser,
Are the visitors potential customers or employees? I am asking if the application if customer based where they are requesting a physical inspection of some sort (termites, chimney, insurance claim) in which case I am sure the application requests contact information. In this case I would be inclined to agree with your VP in regard to ease of use attracting more business. With this scenario there would not really be a need for an authentication system.

If, however, the purpose of the inspection applications are internal and thus used by employees/partners etc. then I would recommend some sort of authentication in order to avoid the various issues that could arise. Do now that there are alternatives to password protection in regard to authentication. You could include a block in the application itself requesting company name(if this is for partners)/control number etc. that would make a fraudulent app stand out at a glance. This is all irrelevant if this application is for customers so I will stop here.

Regardless, if the VP has already said go without a login/password then the best bet would be to comply. This is not a system critical issue here. If the application process is abused the VP will most likely change his mind, say guess you were right, and ask you to fix it so either way it will be a good job on you. But no majotr damage/security breach to the company. Hope this helps!

B Haines
CCNA R&S, ETA FOI

 

[wahnula]

There are bots that crawl the web looking for apps to fill out in the hopes of getting their stuff (ads for Viagra, etc) published. Even with a CAPTCHA login/password/email signup system you would still get these fraudulent requests, just not so many. I predict that your site will attract these bots in droves but there will be no harm done except for the time of your staff deleting the bogus requests. I don't see any serious security issues, just annoyances.

Tony

Users helping Users...

 

[Hondy]

isn't open to abuse by sending in false inspections to sites other than the submitter? Or is that the idea?

 

[PeterHurst]

I'd say login or at least some part of the process for registration where the user must enter a unique ID - like a contract number or site code. A login gives a full audit trail which is the best way but making sure the customer must enter some unique info will stop randomly generated rubbish.

It's a balancing act between ease of use and security.