Ask HN: How to implement parental oversight for web user accounts?

Say, a mother has an account on an educational web platform. She now wants her 12 year old daughter to also use the platform. But as the daughter is a minor, her mother wants an oversight into the daughter's account to identify bullying, threats and abuse.

How would a web authentication and account management system be built for this requirement? What should be taken into consideration when building such a system?

One way to achieve this is to let more than one person access the account(in the above example both mother and daughter can access the daughter's account, even simultaneously). But this could give rise to lot of security issues. How does one mitigate that? Or are there better ways to implement parental oversight into web accounts?

2 points | by _448 872 days ago

2 comments

  • detaro 872 days ago
    A big worry with this kind of thing is how control is established, e.g. to prevent the feature to be used abusively it needs to be obvious to anyone using the "child" account that it is under control.

    If your structure allows implementing this cleanly, allowing the parent account to gain a (read-only?) login session to the child account could be an option.

    [-]
    • _448 872 days ago
      > it needs to be obvious to anyone using the "child" account that it is under control.

      This can be achieved by providing a notification/an indication on how many people are using that account and providing access to the login history?

      [-]
      • detaro 872 days ago
        The test is relatively simple: If you use the app as you normally would, you need to notice that an account got linked as a parent account, and the parent account can not be able to hide this. I.e. hidden somewhere in the settings is a start, but not enough.
  • high_byte 872 days ago
    sharing the account probably had the least security issues, considering the alternative is probably a proxy data processor & relayer. with respect to security the question is whether this proxy is the mom or some 3rd party provider. but I assume some automation is desired, in which case there are some companies that attempt to create such solutions but I cannot think of recommendations.
    [-]
    • _448 871 days ago
      > sharing the account probably had the least security issues > the alternative is probably a proxy data processor & relayer. with respect to security the question is whether this proxy is the mom or some 3rd party provider.

      Isn't that also that case with sharing the account? How is the back-end going to detect that the minor's account is not shared with exploiter(s)?