So, what’s a better key?I think Pete answered your question in his comment. The problem with SSNs is not their use as keys; it’s their use as authenticators. The ubiquity of SSNs is both what makes them useful as keys and what makes them horrible as authenticators, because so many people know them. Pete’s proposal in his blog of making all SSNs public would make it even more clear how horrible they are as authenticators.
Simply requiring the user to supply a password is better authentication. Public/private keys and certificates are probably even better. Many financial instutions are at least talking about going to two-factor authentication, usually involving two different media, such as web and telephone.
Yesterday I had an experience with a rental car company that involved three-factor authentication. I was signing up for their prefered customer program, so I could bypass their airport counters, and I checked one box too many. To get it unchecked, I had to look on their web pages to see what to do, which was to call a telephone number. I did that, and was told I had to send electronic mail requesting the change, which I did. The agent on the telephone read my mail back to me and sent a reply, after which the web pages changed.
Now we probably don’t want anything this complicated for most ordinary transactions, and I suspect the main reason they wanted it to be this complex was because I had checked a box that generated extra revenue for them, but even two-factor authentication would be much better than just asking for the “social”.
-jsq
SSNs make bad keys as well. They lack a check digit, they’re externally controlled, and they’re likely to be re-used for other purposes. Much better to have a locally generated key than an SSN.
I agree that the issue is to find a good authenticator. I agree that if your only issue is to identify someone uniquely in your own database, you can generate any kind of ID you want and use that as a key — and that those are two different things.
I’m not sure how a cert would be any better as an authenticator than an SSN, though. It would still have to be portable for the user, which means it could be swiped and copied. It sounds like some companies are limping along with a whole bunch of weaker authentication factors, hoping that the combination will create a minimally trustable authentication.
Take your experience with the rental car company. They authenticated you informally by having a person talk to you on the phone and somehow come to the conclusion that you were probably legit. Then they authenticated you by establishing that the email address you gave them could send and receive mails, and that it was associated somehow with the voice at the other end of the phone, which claimed to be associated with that rental car entry in their database.
And that’s just a company that doesn’t really NEED to authenticate you, as long as your money’s good.
The problem is that in a lot of cases, an individual needs to be able to authenticate himself to multiple entities, and some of those entities may need to be able to track that individual and establish that they’re talking about the right one when they talk to each other about him. Do they get to pass the individual’s cert along to match him up?
What you keep coming back to is a requirement for a unique, universal authentication factor.
So walk me through this, guys. Tell me, for example, how Juan Gonzalez is supposed to register at a new school and prove that he was the same one who previously attended a school in another district so that he can get his course credits. Tell me how both schools authenticate him AND identify him uniquely so that they can transfer the transcripts. Now tell me how they authenticate his immunization records so that he can attend the school.
(I won’t even stack the deck by pointing out that a lot of students attend under made-up SSNs if they aren’t legal residents.)
Seriously, help me out here, guys, because these are the kinds of problems I deal with every day. I agree that we have to ditch the SSN precisely because of its use as an authenticator for financial transactions. If there is no financial gain from stealing an authenticator, then it won’t be as valuable and maybe we can use it longer. So tell me how we split these off, and how this is supposed to work with a cert.