-2

My friend and I are working on a website, with a feature being to allow company employees to create accounts and perform actions as official representatives of their company. For example, our website will allow a recruiter from Microsoft to create an account and recruit on there on behalf of Microsoft. In order to prevent random people from posing as official employees, we wanted to have some sort of official verification when an employee creates an account*. We've been toying around with the idea of using IRS information such as EIN and SSN as well as some sort of an API that can search an IRS database, but every API/web service we find isn't really helpful.

If anyone knows how to do this, advice would be greatly appreciated. Our website, for the record, uses JavaScript/HTML/CSS for front end and ExpressJS/PostgreSQL for back end.

jciano
  • 1
  • Have you tried something yet? Maybe try including some code in your question. Consider reading [this arcticle](https://stackoverflow.com/help/how-to-ask) from the Help Center for more details on how to ask a good question. – Pedro Fracassi Jun 23 '20 at 22:10
  • SSN numbers were never intended for, and should not be used as a unique identifier. They are for use by the Social Security Administration only. If you were to store them in a database of a public facing website, you would need a team of security professionals and lawyers. You'd need to make sure they were encrypted, and you'd need to perform regular security audits on your site. Any public api you would happen to find that would just hand these out is going to be illegal. – kloddant Jun 23 '20 at 22:10

1 Answers1

0

The way I would go about this is to register each company in your database with a list of known base domains. So for instance, for Microsoft employees, you would first register the company "Microsoft", and then you would associate the base domain "microsoft.com" with it. Then if anyone wants to register as a Microsoft employee, they would need to enter their Microsoft email address. Then your site would mark them down as "unverified", and it would send out an email to that address. They would need to click a confirmation link in this email, which would mark their account as "verified" on your site so that they could do stuff as a representative of that company. This requires that you personally create this list of companies and corresponding domains though. That part you cannot open to everyone.

kloddant
  • 1,026
  • 12
  • 19
  • Also, it probably goes without saying, but the confirmation link that you email to them is going to have to have as one of its url parameters a unique id of some sort that they then have to match to the one for their listing in the database to prove that they are indeed answering the email instead of just querying your confirmation endpoint. – kloddant Jun 23 '20 at 22:17