An SSN is a fine identifier and an awful authenticator. The article says SSNs should not be used to "assure people's identities," does
— Philip Reitinger (@CarpeDiemCyber) October 5, 2017
Rob Joyce wants to get rid of the social security number. “Every time we use the Social Security number you put it at risk,” Joyce, the White House Cyber Coordinator told Washington Post Live recently.
Joyce’s comments have led to no small amount of day dreaming by the technical community on the possibility of using a “modern cryptographic identifier” or (drum roll please) block chain.
That’s all well and good. But the challenges with replacing the social security number (with something more secure), aren’t technical — they are everything else. And as Steve Bellovin points out, it would be really, really hard.
The core challenge isn’t replacing the social security number as a national identifier – as Phil Reitinger tweeted, “An SSN is a fine identifier and an awful authenticator.” The assumption that you, and only you, know your social security number is no longer a tenable proposition.
Joyce captured the fundamental brittleness of the current system saying, “It’s a flawed system that we can’t roll back that risk after we know we’ve had a compromise,” he said.
For any new system to be better than what it replaces, it can’t simply be “stronger” or “harder” to break; it needs to be less brittle, by distributing risk and making it possible to change out credentials when compromised.
What might that look like?
My answer, the Internet. Or more precisely, the domain name system. The social security number is a unique identifier, not unlike a domain name. There are multiple Rob Knake’s in the United States, but only one with my social security number, me. Similarly, there are many companies that might like apple.com as their domain name, but only one that owns it.
To grossly over-simplify, when I type apple.com into my browser, a process is kicked off to ensure that the website delivered to me is for Apple Computer not any other company that might have liked to claim the domain. My browser asks my ISP if it knows the IP address connected to the legitimate domain owner; if it doesn’t, it pushes the request to higher levels until the request is resolved. The result is that Apple gets to tell the world what servers will serve up its webpage.
Applying the concept to identity, what if, on an opt-in basis, I could choose from any number of companies to serve as my identity service provider, registering my social security number through an identity proofing process (I’m borrowing liberally from the National Strategy for Trusted Identities in Cyberspace here). Maybe Google (they know everything about me anyway); maybe Apple (they make my phone); maybe Verizon (they are my cell provider); maybe Mastercard (you get it).
The goal would be to select my identity provider the same way I can select a domain registrar like GoDaddy (only with mechanisms in place to prevent me from registering any identity but my own). Unlike with the domain name system, there probably isn’t a need for or easy way to create a hierarchy.
When I apply for a new credit card, or car loan, or to withdraw money from my social security number, I enter my social security number and other basic information for a first level of proofing.
If those records match, a request immediately goes out to all members of the (yet to be established) non-profit identity consortium that looks a lot like ICANN.
If I’ve registered with any one of them, they send back a reply that they are the associated identity provider. If I haven’t registered with one, I can continue to play the fun game of Russian roulette with my identity and use the knowledge-based verification processes that criminals can now routinely beat.
As a consumer, I could switch identity providers whenever I want. I might pick based on security or reputation or pre-existing relationship. I might opt to pay for the service and gain more control or choose a service that is free to me (and possibly ad supported). Ideally, the costs of maintaining the system would be paid for on a per-transaction basis the same way companies pay to pull a credit report today.
Initial enrollment might need to involve an in-person proofing event (like getting TSA-pre chek) to reduce the risk of false identity claims but could also be done online as a live, video-based event. A process for changing providers might need some degree of government regulation as was necessary to create the phone number porting system we use today. A light-touch regulatory approach run out of somewhere like the Commerce Department (not a national security agency) would set the right tone.
Something along these lines would give us a system of online identification that would not be the equivalent of a national ID card because it would not involve the Federal government and it would be voluntary, not required. Beyond a light-touch of regulation (which might not even be necessary), the government’s role should be to help create the market by making Federal agencies that require proof of identity to provide service the first paying customers of the system.
Such a system would be resilient because it would eliminate the main problem with identity today; it would not rely on things like birthdays, names, or social security numbers that are all but impossible to change. It would begin to devalue personal information in the criminal underworld because that information would, over time, be less useful for committing fraud. By creating a market, it would allow any single failure to have a limited impact and offer a simple recourse to anyone affected by the failure of an identity provider to protect its accounts: switch.