Alternative to CPF (Foreign Users)

Asked

Viewed 2,243 times

33

I have a site where we control users by number of CPF, I believe it is the best way because it is a given single, that everyone knows and is checavel. However the client now has foreign users who do not have CPF.

How to deal with it? As far as I know it is not possible to control passport number. There is nothing that is equal to CPF.

More details:

A USERID is used as the primary key. CPF is the login on the system. Who access are sellers of stores that sell the product - and the site is a "shop area" where internal promotions are made.

Request CPF is an effort to prevent more than one registration per person since the site creates campaigns where the user can receive awards for answering questionnaires.

Ex: one of the actions taken was to win a pair of tickets to watch the final of the cup in Maracana. He answers the questionnaire with questions about the product, sales technique, etc and whoever hits the most wins the prize. Each one can do 1x. We have a database of questions - the questionnaire asks for 20, the bank has 200 that are randomized. But in any case the more registrations a user has, the more chances he will forge for himself.

  • 3

    If you know where customers come from, you can make a unique identifier associated with the country. Brazil - CPF, USA - Social Security, etc

  • 1

    The site does not allow minors, people who are dependent/disabled, who are in illegal situation?

  • 1

    It’s not very interesting to make the CPF a primary key, because you don’t have full control over it, if the government changes anything in relation to the CPF, you would have to maintain and migrate all the data...

  • 8

    As you may have noticed, you have received several responses with different approaches (and even some ramblings). Do you know what would help? Describe a little more the context of your system. For example, you don’t mention whether foreign users are tourists or residents (so someone can know if RNE really applies).

  • Considering that your system requires a formal tax-payer ID for residents, but opens exceptions for foreigners, you can rather use the passport number to identify them. All passports (at least the majority that are accepted by UN member countries) follow a standard in numbering and there is a validation using the first 10 digits and identifying the country of origin. Have a look at http://www.highprogrammer.com/alan/numbers/mrp.html

  • 1

    Hello guys - as I’m new here - despite using the English version (this time I thought that they wouldn’t understand the problem of Cpf) - I couldn’t talk to you because I didn’t have enough score.. kkk - almost q opened a question here to know how to answer.. rs - I did not use CPF as the primary key - there is a USERID for this. CPF is the login on the system. Who access are employees - or better sellers of stores - who sell the product - and the site is a "shop area" where internal promotions are made.

  • we use the CPF to control instead of the email to inhibit the employee from registering 2x using different emails - because it is made a salespeople ranking, the best are awarded - etc. Of course this does not prevent him from using a fake CPF - but it’s a lot harder than using another email. the CPF wanting or not ends up giving a more "legal" air to business - most do not know how to generate a fake CPF, and those who know - as it is something of the company - end up kind of respecting more.. but of course, nothing prevents.

  • already using email, always paste the excuse.. "forgot my email" so I made another registration.. etc.. I’ve forgotten my CPF is something q does not exist. Also to make it even easier - remembering the CPF is easier to remember the email sometimes.. and there are many vendors q are extremely humble.. some neither email has nor internet has.. only access in stores.

  • the database has about 70 thousand registered sellers - that within the site receive online sales training, accumulate sales miles to exchange for prizes, participate in marketing shares etc. The CPF is necessary to send the awards - and issuance of NF them - and not allowing 2x registrations is important because some marketing actions are questionnaires - they have a huge question bank to practically ensure that one questionnaire will never be the same as the other - but if you register 2x vc can answer 1 - see the answers - and have advantage by replying.

  • Ex. one of the actions made was WIN A PAIR OF TICKETS TO WATCH THE CUP FINAL IN MARACANA. He answers the questionnaire with questions about the product, sales technique, etc.. and whoever hits the most wins the prize. Each one can do 1x. If he registers 2x - he is entitled to a second attempt. That is why we have a question bank - the questionnaire asks for 20. in the bank has 200 q are randomized.

  • now the customer is selling in stores in Mercosul, argentina, Paraguay, Uruguay.. and la sellers do not have access to the site because of Cpf. My hope was to have some alternative or idea to let them in.. but not by passport would it - no longer q all seller will have. (after q thought about it). I think the best solution would be to create a kind of foreign WMD.. like a "Customs/Embassy" - it doesn’t end fraud - but we prevent all foreigners to access the system freely - without CPF. So the ADM would make a consultation in the stores to see if it is not duplicated, to release.

  • @DANIEL, I supplemented the reply by detailing the suggestion I had left as a comment.

  • As far as I know Indians don’t have social security numbers so it’s really not a good primary key to identifying individuals. It is necessary to check if two different people do not have the same CPF, but it is necessary to predict the non-existence of CPF as well. Something similar happens in the export where I think the note comes out with the customs broker’s CNPJ, so there is always a CNPJ for each legal person, but obviously two clients can have the same forwarder.

  • @DANIEL Did any of the answers solve the problem? Do you think you can accept one of them? See [tour] how to do this. You’d be helping the community by identifying the best solution. You can only accept one of them, but you can vote for anything on the entire site.

  • What prevents me from registering with other companies/clients' CPF?

Show 11 more comments

4 answers

25

TL;DR

CPF is not a good candidate for primary database key and is probably not ideal for "control", whatever that means for AP. In that case a replacement key is usually a better option.

You will need an "internal code" to complement, or even replace the CPF as identification of the registered. There are several reasons not to use CPF as "control". In general this is an auxiliary data.

Or you can use a little bit better data, maybe email, which is not perfect either.

A little context would have helped give a more specific solution.

Myths about data

There are myths about a lot of things programmers believe. There are even some websites that have tried to show some of these untruths that people believe. They are universal things and have only taken a few subjects. Note that the amount of myths in each one is quite large. Most programmers completely ignore almost all the items presented in them:

Some lists are better than others. You can probably get a list like this for just about any field you can put in a database. And people always believe their case is different. Even though some of the rhetorical questions I ask below can be answered with a yes one day can change, right?

I guess there’s one link about documents. The list of myths should be huge.

Single, mandatory and stable data

The first myth is to believe that documents are unique to people, especially CPF. And although it seems obvious, to think that they are universal.

The question, if handled carefully, already shows that the document is not unique as it is stated. If you want something unique and are already admitting that it is not unique, does not serve for this "control".

There are cases that can be repeated and have a control, there are cases that the data does not need to be uniform and there is control. But you can’t use it as a primary key or something that has similar requirements as found in primary keys.

Is there a clear definition that the spouse cannot have a separate register? Many cases two people use the same CPF in this situation. And there are cases of people already separated, but for some particular reason they still use the same number.

The same can be said of people who own some incapacity legal. These can not have registration in this system? Among these are children under 18 years (it is possible to have CPF, but not mandatory).

People who would decide for some reason that they do not want to have a CPF, even if it is mandatory, can not be registered?

People who are foreign residents or tourists seem like they can. The latter even need to have a passport in many cases. Do they need to be present in Brazil to register? You will know if in their country you need to have any official documents. And if so, how can this be useful to your system here? Let’s not forget the illegal ones. Don’t want to contemplate them in the system?

Have you considered that it is relatively common for a law to determine a different way of using an existing document? You have a new format, a new criteria, etc. You have no control over this. Do you really want to use something that you have no control over? And I’m talking about the number. In fact the CPF could fall into disuse with the creation of a universal document that is ongoing.

And from the description it seems that the system rule itself can change. It is not better to use something more stable like "control"?

Possible solutions

Is it worth controlling several types of document? Have you ever imagined the work that this gives? And that can bring problem? That the user experience may be impaired by it?

It seems to me that not even the CPF should be used. If it really is not mandatory to have the CPF, do not make it mandatory by "will of the system".

Another document is good? I doubt it, but it depends on the requirement of the system. Normally an identification document should be ancillary information.

  • The e-mail address is good for this? Controversial. You can even use if the registration requirement is to have an email, it is usually an artificial requirement that can be avoided. There are those who share the email. People exchange/lose access to your email. If it is something purely on the internet it may be an option, even if it has restrictions on its use. It is the most used in this context, despite the possible problems, some that I will not even list.

  • A internal code is an option. Be it for everyone, or for exceptional cases where the CPF is not available. We can not always solve all problems well. The code does not need to be a number, it can be mounted the way you want, even allowed the user to create one. The biggest disadvantage of this is that the user will always have to know about it. So you better let him choose something he remembers, and preferably one.

  • Oftentimes the name of the person is the best solution to find the user. It depends on where it will be used. Usually not on a website, repetition is very common. Other problems are not as serious as they seem, but they do exist.

Other solutions may be possible depending on the context where it will be used. If the question had more context, then a more specific solution could be found.

10

Every self-respecting country has at least one foreign control. In Brazil, control is carried out by the Federal Police. The identity document of an alien shall be: Alien Identity Card (CIE), ancient "National registry of foreigners", which has a more specific function in foreign control.

Alternatively you can control by officially identifying the foreign country of origin, however, imagine how to implement this for more than 200 countries and keep it all up to date and intact. That’s why it’s unfeasible.

When we talk about foreigners, there are several classes such as, permanent resident, but not naturalized as Brazilian. There is the provisional resident whose classification branched out to tourism, work, exchange, scholarship, mission (volunteers of Ngos, Npos, foreign governments, etc.), among others. This list also includes refugees, expatriates, etc.

Therefore, try to maintain the identification through documents that are "controllable" within the jurisdiction of the database, in your case, Brazil. It is also valid to check the passport as an aid, but do not use the passport as an identification as an alien can also be an illegal, a refugee, an expatriate or a stateless person.

8

Depending on what "controlling the user" means, it depends on the customer’s business requirements.

The user’s CPF is useful to the client’s business or you only need it for technical reasons (unique identification of record in the database, for example)?

Customer business does not require CPF

If the customer’s business does not require, you should not request documents from the user. Brazilians do not like to share their documents if they do not understand the reason or if the benefit of the service provided by those who are asking for the document is not very relevant.

If you only need a user identifier for login purposes, asking for an email is better than asking for a CPF. Remember that asking for the CPF does not prove that the user is who he says he is (I can use someone else’s CPF) and if you are not using any service to hit the CPF with the name, you are also having no warranty.

Asking for a username is bad because the user may have to invent one right away and may have trouble remembering it later.

The client needs the number

If the client’s business requires the CPF, it is the client who will inform which alternative document will serve for it, and if an alternative document is required.

If an alternative document is not required, you can generate a code for the foreign user. In this case the system will have to offer two login alternatives: the CPF and the generated code. Maybe it’s better to offer login alternatives by CPF or email instead.

As for the primary key in the bank, even if the CPF is required by the business, consider using a surrogate key (an automatically generated number) and a unique index for the natural primary key (in this case, the CPF).

It is common for changes in business requirements to trigger changes in the entity’s natural primary key; using surrogate key gives more flexibility to receive these requirement changes with less effort to change the database.

CPF as login

The details added to the question demonstrate the usefulness of the CPF for the business. What about using it as login?

Several companies use CPF as login. My bank and my internet company, for example, use.

I don’t know about my Internet company, but my bank opens an account for foreigners, who obviously don’t have a social security number. This is where an extra effort comes into dealing with login: the bank site also admits login by account number, in addition to login by CPF.

As I mentioned before, you can have more than one login option, and that’s what my bank does. You can open the login page with a primary option and offer a button for the user to decide to log in otherwise; or you can handle it transparently by accepting more than one login type in the same field. It may be feasible to identify the type of login being used (CPF/Foreign document, Code/Account Number, Email...) and then execute the proper logic on the server.

Not all users have CPF

In their specific case, some users do not have CPF because they are not Brazilian, and do not have any Brazilian standard document because they are in another country.

In this case, you can search for any document equivalent to our CPF in each country that the customer’s business meets.

When the user is registering, he must indicate his country, and then the system requires the specific document. When the country has an algorithm to validate this document, you can implement it (just as surely you do with CPF).

At the time of login, the system does not need to say "enter with your CPF", it can simply say "login" and give some hint that login is the user document.

Accepting documents other than CPF, the client increases the gap for users to make more than one registration. From what I understand, the only problem with this is campaigns where the user can increase their chances of winning if they have more than one register. Since asking for a document, in your case, is just a bureaucracy to try to avoid this type of fralde, what the client can do is to increase the bureaucracy a little more to lessen the effects of the increase in the gap, such as announcing in the campaign and request copy of the document by email to proceed the delivery of the award, and only deliver in the country declared by the user in his registration.

Finally, I repeat that the best solution appears with the active participation of the client, which should help solve the problems and the final decision belongs to him.

1

I believe that for your case, which already has an application ready, based on the CPF model, there is no point in entering into the theory of which the best and most secure type of identifier for users.

If it was my system, which uses CPF and suddenly needed to receive user without CPF, I would choose to ask the new user, at the time of registration, whether it is Brazilian or not.

If the answer were negative, it would be sent to the registration screen, where the form of registration and entry would be the email address. And of course, this does not invalidate the possibility of the registration containing fields that can be used for future checking, such as passport number, foreign ID etc. Most countries issue some kind of social security document, which here in Brazil, works like the CPF.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.