Scrapping Social Security numbers won’t be enough to protect our identities

My Twitter handle is @JGrantinDC. My email address is similar. I’m not telling you so that you can contact me, but rather to make a point: both are publicly available “identifiers” for me in the modern age.

The fact that someone knows my identifier doesn’t put them in a position to take over my Twitter or email accounts. To do that, they need to obtain my “authenticator” — in this case, the password plus second factor that I use to protect each account. Those are details that I will not publish here.

The difference between identifiers and authenticators is getting a lot of attention these past few weeks, as industry and government leaders, along with security and privacy experts, have called for the country to come up with something to replace the Social Security Number (SSN), in the wake of the Equifax breach.

{mosads}Unfortunately, the debate has been muddled by people failing to differentiate between whether the SSN is an identifier or an authenticator. Part of the confusion is that SSN has been used as both identifier and authenticator in recent years.

At its core, the SSN was created as an identifier. It is a 9-digit code, issued by the Social Security Administration at birth, that is used to help the government know “which Jeremy Grant” they should associate wage and tax data with, and to help administer the delivery of Social Security benefits. Over time, use of the SSN has expanded beyond the purposes for which it was intended, with thousands of private sector entities collecting the SSN as part of the account opening experience — and by credit reporting firms and other data brokers, who have used the SSN as one way to aggregate data about a person.

These expanded uses of the SSN are all as an identifier. But where things have really changed is the practice of using the SSN as an authenticator. Every time a party asks for the last four digits of that number, for example, the premise is that the SSN is a secret — and that possession of the SSN could be used to authenticate a person.

There was a time when SSN as authenticator made sense: someone’s SSN was not widely known or publicly available, so it was safe to presume that it was a secret. But in 2017 — after several years of massive data breaches where millions of SSNs have been stolen — the notion that SSNs are a secret is a fallacy. The Equifax breach may have woken people up to this fact, but for several years now, SSNs have been widely available on the dark web for just a dollar or two.

The message is clear: data breaches have gotten bad enough that we should assume an attacker can get someone’s SSN with only minimal effort. The attackers have caught up to authentication systems that use SSN as a factor — it’s time to move on to something better.

However — and this is key — just because SSNs should no longer be used as authenticators does not mean that we need to replace them as identifiers. Instead, let’s start treating them like the widely-available numbers that they are.

While it might be tempting to create a new, revocable identifier in response to the overuse (relative to its intended purpose) of the SSN, the reality is that both government and industry would simply map that new identifier back to the SSN and other data in their systems. Because the new and old identifiers would be connected, the security benefits would be close to nil.

Moreover, the possibility of chaos due to errors in mapping and matching these additional identifiers would be quite high, given that many government and commercial systems deliver less than 100 percent accuracy today; think about what might happen when a system fails to associate a new identifier with the right person.

Rather than create a new identifier, the focus ought to be on crafting better identity vetting and authentication solutions that are not dependent on the SSN, and are resilient against modern vectors of attack.

This idea is not new: last year’s bipartisan Commission on Enhancing National Cybersecurity called for the Trump administration to “launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management,” with a goal of seeing “no major breaches by 2021 in which identity is the primary vector of attack.”

The report embraced work done to date through the National Strategy for Trusted Identities in Cyberspace (NSTIC) — a collaborative effort between the private and public sectors to improve not just security, but also privacy and usability of identity solutions – as well as the Fast Identity Online (FIDO) Alliance, a consortium of more than 250 entities from industry and government who are creating standards to enable simpler, stronger approaches to authentication.

Building off of the work of these good efforts and others, the market is in a great position to deploy the next generation of strong authentication solutions that don’t rely on the SSN. This past week, U.S. Sen. Ron Wyden (D-Ore.) suggested that the Social Security Administration make FIDO authentication available to beneficiaries as a way to protect their accounts.

But as for identifiers — rather than look to replace the SSN, the best actions we can take are to simply stop overusing it, and to look to protect the SSN when it is used much better than before.

Jeremy Grant is managing director, technology business strategy, for Venable LLP. He previously led the National Strategy for Trusted Identities in Cyberspace (NSTIC).