Every SaaS provider has one major problem – security concerns of its userbase.<p>People are worried about their data, transmission and that anyone can “guess” their password and log in to their accounts.<p>What I’m describing here is a product idea – we will write it for our selves but I think it can be sold separately as a byproduct of our main web app.<p>How would it work?
1. Simple JS insert on the login page will be tracking who is login from where, what kind of browser, operating system etc. details (JS will not send or track user password! We should have some kind of "ok" from the web app" that user login was successful)<p>2. We will track patterns of app usage (is it working day? What time is it?)<p>3. If our system will find potential fraud (correct login and pass but strange usage pattern) – we will send an email with the special code to the owner of the account. User will get a popup message “Please let us know it’s really you. Check your email account!” and a text input field to provide the code.<p>4. System can provide badge or something so users feel safer login to web apps protected with this fraud detection system.<p>What do you guys think? Do I see any beta testers already?
I think that I don't trust <i>me</i> with my user's passwords and I am darn sure not going to trust <i>you</i> with my user's passwords, and I am not exactly a high-security niche.<p>Also, bouncing many users in the midst of using the app is worse than a security breach in some cases.
That's useful, and even more impressive if it doesn't appear to be automated.<p>My employer sell a traditional software product, and there is an arrangement for the support desk to get notification of all errors. We called back once when we saw some rather unusual looking urls, and turns out that the customer hired a consultant to do some basic penetration testing.<p>Needless to say, the client was happy with our rapid response.<p>Another real life example is when I made a 1-dollar verification so that my kid could have an AOL account. I got a call from VISA within 5 minutes, and I was pretty happy.
I've got pages of writing /sketches expanding upon your idea. I almost went with it but there's a lot of regulation involved and people are unlikely to want to hire out for their security. My only concept was selling it as a larger package and not a monthly fee to hopefully transfer some of the responsibility of keeping the info safe to purchasing company.<p>I was thinking something along the lines of usage patterns that would actually predict some fraudulent activity before it happens.
I like the principle of the idea, but the practise is another matter. You want me to trust a piece of external Javascript on my login page? A piece of javascript that is used <i>exclusively</i> for authentication? If your service took off, I don't see how you won't end up with at least one major security breach :(
Just some decent user-viewable logfiles of their logins (hour/date/browser/cookies) would be enough for them to be able to check when someone logged in.<p>I never understood that online emailsites didn't provide those...