I am developing an Android application for my final year project which allows the holder of a mobile device to receive a text notification containing potentially sensitive information from a server.
My question is this, if a User downloads the application, what is a suitable way for them to create an account / log in on my server to receive notifications from it?
I was thinking:
Application
- Open application
- Click Register
- Fill out fields (Name / Address / ID / Phone no.)
- Send to server
- Display “Account Pending”
- If approved, send positive message, begin receiving notifications from server.
- If denied, send negative message, if User tries to log in with that account, the App will inform them that it was rejected.
Server
- Add received information to a “Pending Account”
- When an Admin comes online, they can review the information (How can they be sure the person is who they say they are?)
- If the account is approved, the details are moved to a normal User account, otherwise moved to rejected accounts.
I can’t think of another solution which would fit this problem. If anybody knows of a patterns or design I appropriate to hear from you.
Modifying the answer, according to the conversation in the comments.
You mentioned this is security-sensitive, and thus you cannot trust people from the Internet without a strong security token. Assuming the people have secured work emails (connection between the email client and server is never plain text), you can probably create the user accounts centrally on the server, according to their required privileges, and send the first-time passwords to them via email. They can then log in to the system using their email address and the password. Normally they also need to change the password immediately. You may decide to activate their privileges only after they log in for the first time and change their password.
5