Hacker News new | comments | show | ask | jobs | submit login
White House Looks at Replacing Social Security Numbers (bloomberg.com)
196 points by chollida1 on Oct 3, 2017 | hide | past | web | favorite | 165 comments

Generally I am for a smaller government rather than larger. But in this case, the private sector has demonstrated that without regulation specifying otherwise, they will do nothing to protect our identities.

The Social Security Administration's official policy on SSNs is that consumers don't have to give their SSN to businesses with the exception of tax-related things like employment and banks. But, they also say that businesses can choose to not do business with you if you are unwilling to give out your SSN.

And businesses have done nothing to help people secure their identities. In fact, they've done the opposite.

Starting around 20 years ago, I refused to give my SSN out except where it was specifically required by the govt. The insurance companies seemed to be the ones who had the hardest time of it, it required hours of effort with my insurance company to let me not have my SSN as my identifier. They ended up putting all zeroes in. But then every time I used my insurance I had to work with them ("What is your SSN?" "The insurance company doesn't use my SSN, they use all 0s." Blank stare).

Around 10 years ago it got to the point where there was even more push back and the effort was more than it was worth.

It really wasn't helping, being "the one guy who wouldn't give out his SSN". Pretty much every time I explained it to a doctors office they would say "I've never heard of that before, but it makes sense." That sort of pushback only really works if, you know, at least a few people do it. :-)

Look at their first quote, the reason for all this is “What is a better way to identify consumers in our country in a very secure way?" We are labeled as consumers, not citizens. Culture issue and perception issue everywhere.

> That sort of pushback only really works if, you know, at least a few people do it. :-)

In the 80s and early 90s, I also would refuse to give my SSN for non-taxid purposes.

I also was worn down by the system. Employers wouldn’t understand. (HR was horrid.). Buying a house was more difficult. Medical provider relationships were more complicated.

Cheers to you.

I've always left it blank on doctor forms, and no one's ever said a word to me...

I asked my dentist why and his front-office team said it's because it's easiest to sync with insurance this way. Since I had my insurance card on me, I just used that number and they were quite happy. It just seemed like a convenience thing.

Just say you were born abroad, are not a US citizen etc and therefore don't have an SSN, you just happen to speak good English because you went to American school.

But you're happy to give them your national ID number from your home country. Bonus points if you actually have another passport to waive around while claiming this.

This doesn't work all the time, but it's surprisingly effective in like 90% of cases.

Being born outside the US doesn't preclude you from having a SSN. Quite the opposite - they're given to anyone who has ever worked in the US, even on a temporary work visa.


That would be fraud. Don't do this.

Doesn't a party have to claim damages for there to be fraud? How could your doctor possibly do so in this case?

Of course, because only Americans or American educated people can "speak good English".

What would you have a private company do, exactly? Like many after this recent Equifax disaster, I've thought about taking some action - but I'm pretty unclear on what that would mean exactly. What private solution could address this? What product would help?

Private companies could generate their own identifier and then use that instead of an SSN. Here in MA, driver's licenses have a code generated by the RMV.

I think most cases are companies that use software that just assumes the SSN will be readily available.

The problem comes when company A wishes to ensure that its interactions with company B involve individual X, and not some other individual Y or Z.

It's well and good for a given organisation to have its own internal identifier. And virtually all do -- that's what your account number, or customer ID, or payment number, etc., are. That works fine for internal operations.[1]

But it doesn't address the inter-organisational problem.



1. Well, sometimes. Actually the hijinks that can happen within an organisation with identifiers are ... numerous.

Why does the doctor's office ask for SSN?

It's a convenient identity number. It roughly maps to a person, and usually health/dental insurance will be able to look up their customers by it. Ex: when I go to a new dentist, I tell them who I have insurance with, and my SSN, and they're able to confirm I have coverage. It's also a number most people have memorized, because it doesn't change, and is fairly often used.

Let's be careful not to underestimate the value of deniability. Any change in policy needs to maintain the ability of the citizen to challenge actions taken with a private key (opening an account or borrowing money) and the burden should not shift to the consumer.

I fear that financial institutions will use the change as an opportunity to offload their due diligence onto consumers.

Someone having my private key should not have any greater ability to implicate or permanently damage me than someone having my SSN.

Right, this is the challenge. The biggest problem is that SSN were used like a password and not a username. If we simply replace it with a different "secret" number, we don't change much. It is also possible we make it worse temporarily as all the attack vectors are exposed. Give people a private key on a card and they'll just put it into their wallet/purse. Stealing the wallet gives someone an un-refutable ability to become you.

There would also be far less hacking to get SSNs if we had a reasonable credit system where our credit is always frozen and only unfrozen for a short window (24 hours?) at our request and this request is verified via a MFA approach of our choosing. As long as you can get $5K credit at the register in 5 minutes, you are going to have a hard time stopping identity theft. Too many people want easy credit. It will always be a balance of security and convenience. Most consumers want convenience and will continue to do so as long as the cost of the fraud is hidden from them.

The other solution would be shifting the burden of proof for an adverse credit action off of the consumer where it currently resides. If you want to tell the world that I fucked off with your money, there should be a pretty high burden of proof since you bear virtually zero risk for getting my identity wrong while I will pay an enormous price for such a mistake.

Isn't it kind of insane that a random entity can destroy your financial reputation with little more than a few bits of info about you? And without any notice before or after of it happening (you have to affirmatively ask about it to find out). It's so strange that you will get notified if you're rejected for credit due to your credit score, but not notified by the party who made the claim on which that decision was based?

It's not so much that the burden of proof is on the citizen, but that the burden of ongoing defence is.

In most cases, if there's a case of fraud, you file a counter, and (modulo various bureaucratic foulups), you're clear. The merchant almost always eats the cost, and that really should be changed, at least balanced with the financial institution.

The burden is more from the "death by a thousand cuts" variety of having to go through the re-assertion process again and again and again and .... I've been looking at attention and cognition mostly in the context of media, but the simple truth is that most of us are bombarded by all sorts of demands and claims, the dealing of with is an increasingly insurmountable burden.

I liken this to point-and-click computer interfaces. It's simple to graphically delete a few files or folders or message notifications. It's a slight chore when that rises to 20 or 30. At the level of a hundred or so items, most people would give up. With more powerful tools, it's possible to manage hundreds, thousands, even millions of items with dispatch. (Of course, that may increase the likelihood that you'll have to do so.)

Given the frequency of issues and the magnitude of them, presented through current financial and authentication mechanisms, even "easy" repudiation becomes untenable at scale.

Further, I think there should be notifications when our credit information changes. How this information is sent is a really good question, but instead of us having to search for modifications, it should just be pushed.

How about an active, closed loop, control solution?

When someone wants to confirm your identity, or otherwise interact with your 'financials', you get sent an email with a quickly expiring link that you click on to view a page where you enter the name of the org or person you /think/ is checking your data, and if it matches things work.

And that email information, and account, are managed where? By what authority? Protected and secured how?

Beware Maginot defences.

Dun and Bradstreet is the business equivalent for credit scores. Businesses can easily sign up for a free service to get instant notification of creditworthiness changes. It's free as a marketing tool to buy their very expensive other services, but works well and is very easy to challenge any adverse reports.

Because private keys are a far greater tool of proving identity than a SSN, I would argue one should have much greater culpability in an "unauthorized" action.

SSNs are lost for good on breaches of companies' infrastructures, but nothing should be lost in a Pub/Priv key scheme. What we'll need is a good key revocation process. So when my identity is compromised (say, malware on a device) then I can be me again.

> Because private keys are a far greater tool of proving identity than a SSN, I would argue one should have much greater culpability in an "unauthorized" action.

If you have the technical know-how to protect your private key, and you're immune from rubber hose attacks, and there's no mechanism for key recovery outside your control, I'd agree.

However, people.

You wouldn't depend on technical know-how, you'd roll it into a card or something like that. Chip & pin cards already do all of this.

And I'm not aware of any system suitable to replace SSN that can withstand rubber hose attacks. That's where law enforcement & the justice department will have to step in, as always.

> You wouldn't depend on technical know-how, you'd roll it into a card or something like that. Chip & pin cards already do all of this.


This attack doesn’t work with smart cards that basically do nothing but act as a HSM. The MITM attack works with a loophole in some EMV cards because the card isn’t signing a transaction request but just saying “PIN is good!”

If your card holds a private key and won’t sign anything without also being fed a correct PIN you’d need a proper exploit of the application on the card to defeat it.

I think what many Americans fail to appreciate is that all the safety guarantees that come with deniability + lax security have a (pretty big) cost, one that YOU are paying in the end.

Like - US for a very long while didn't use chip & PIN - but it was simple to deny the transactions and as a consumer you were somewhat well protected, despite lax security. But this generates large costs, and perversely, the cost/uncertainty affects the small businesses the most.

Yes, when I use 3DSecure for an online transaction, the bank shifts the burden of proof to me (a correctly-authorized 2-factor transaction cannot be simply challenged with a complaint at the bank, I have to prove that it wasn't me). Still, it's hard to argue that 2-factor for online transactions is consumer-unfriendly, even if the consumer loses the deniability

Why does the initial attempt of a solution have to work for everyone overnight? Stop the bleeding with those with tech know how first. The the others will come as the solution matures. What is with people wanting to flip the bit all time jezzz. Run two bits!

You nailed the sentiment that I think the technically inclined get wrong. I respect the position, but think it either fundamentally flawed or just too fast a social transition.

By that I mean that we need to educate the masses that a few letters and numbers are as valuable and powerful as the combination to their home safe or keys to their car. People just aren't inclined to exercise the same degree of caution over some gibberish letters as they are the cash in their sock drawer, even though the gibberish is potentially much more valuable.

I'm skeptical that such an education is possible without it being ingrained from youth and even then it may be impossible to achieve a high enough degree of understanding to make the kind of shift you envision.

If your private key is compromised, then notifying the businesses/government would work as before. Getting a new public certificate would involve going to the government/business in person to get a new one.

If people have to go through a lot of trouble, I suspect they would quickly learn a way to minimize the risk of having to do so. I suspect that most people are careful with their passports so that they don't lose them, because it is a bit of a hassle to get a replacement.

But what about the non-techie who is compromised during a "tech support" scam session or by a phishing email ("This is IRS calling...")? They don't know it's been compromised, don't report it and later have no idea why their reputation is trashed.

I'd have to see more of how you think such an attack might work, and think of how to defend against it. In general though:

1. The use of a physical authentication mechanism makes exfiltration far more difficult. The problem with passwords is that they can be sniffed with absolutely no awareness by the victim. A device or token you have to have yourself is going to make its absence known.

(This presumes it's not cloneable.)

2. That reduces the attack surface for phishing. What I suspect is is that you'd see other forms of attack -- say, trying to get recurring charges inserted into bills or some such, rather than full account access.

3. In the event of token compromise, the ability to determine after the fact that a device was compromised and invalidate the subsequent transactions would be helpful. (Sorting out who bears the risk for that would be an interesting question. I'd like to put the burden on the banks, as they're best positioned to detect such activity.)

the situation is still better because when those people find out they can actually get a new public cert unlike now.

People putting cash in a sock drawer are not exercising caution. They would use a safe if they used caution. I know people who I'm sure have more than $10,000 in cash in their "sock drawer"

Gibberish is not something humans can remember. Technical people use a password manage, but that just limits us to one password that we use often enough that we have a chance to remember it. One wrong knock to the head though and all the passwords stored in the manager are gone - unless you wrote the password down someplace, but then that place is your sock drawer: probably not secure enough.

The manifestation of such a key doesn't have to be "numbers and letters" it could be a passphrased USB key, for example. Maybe applications would be designed where you touch your thumbprint to your USB key and it would unlock it for 60 seconds or w/e.

This is basically what's happening in S.Korea. Instead of investing more in security, banks are offloading the duty to the consumers. They issue a private key and ask for three different layers of password/pins nobody ever remembers. If you (or the bank) ever get hacked, well, you can't prove that it wasn't you "so too bad" is basically what happens.

I'm not following this. When I advocate for globally unique identifiers, I never considered using GUIDs for credentials, key exchange, etc. Just for uniquely identifying people.

You let out "further" before "offload" in your 3rd paragraph.

You left out the 'f' in 'left.'

This is long overdue.

In France, the privacy watchog CNIL was founded in 1978 when the idea of using the social security number for all sorts of other purposes got proposed (and rejected), prompting for some safeguards.

In the US, we've been so allergic to a "national ID card" that we just re-purposed the SSN into the very same thing. But then we decided to make it both a unique ID and a password, despite it being a terrible way to perform authentication (and an even worse way to do authorization).

It's a rare circumstance where there's an allergy to national ID cards on both sides of the political aisle. On the Republican side they (supposedly) fear greater Federal Government power, tracking, etc. On the Democrat side, they're afraid of national ID cards being required at voting locations.

Why would Democrats be afraid of IDs being required for voting if everyone got one? I thought the whole Republican opposition to voting rights stuff from the Democrats was because they know there's a bunch of poor would-be-Democrats who don't currently have the required IDs.

We’re not. The problem is with the “everyone got one” part. Every time I’ve discussed this issue personally with a republican they act indignant when I assert that the ids need to be free and trivially obtainable. Usually grousing about the cost and “laziness”.

I have personally spoken to a Democratic voter who told me about committing voter fraud. It does happen.

Of course, because there is no voter ID there is no accurate way to measure voter fraud. Because there is no way to measure it, it can be truthfully claimed that there is no evidence that it is significant. Because there is no evidence that voter fraud is significant, there is no need to introduce voter ID.

#1 -

Privacy minded and anti-government types opposed RealID.


Ironically, globally unique identifiers are required to protect our demographic data. Otherwise all records must be stored as plaintext (unencrypted). I was very chagrined when I finally figured this out, causing me to support RealID.


Source: Me. I worked on both voter privacy and electronic medical records.

#2 -

The government, thru contracts with services like Lexis/Nexus (nee Seisent) have already created globally unique identifiers for pretty much every person, living or dead. Replacing SSN would just formalize, simplify, daylight such matters.

Alas, wedge issues like voter registration databases (assessing eligibility to vote) and immigration status, in near real-time, would become trivial and nearly error free, so I doubt this commonsense, practical effort will happen any time soon.

Eh, I still think the best thing for the gov't to do in regards to SS numbers is just publish them all in an open database accessible to anyone. That would put an end to banks and such trying to use them as a way to verify identity.

SS are useful as a unique identifier for Americans. But the weird process by which they've become some sort of "password" for accessing credit and such in someones name is crazy, and pretty obviously not working.

> Eh, I still think the best thing for the gov't to do in regards to SS numbers is just publish them all in an open database accessible to anyone.

They basically are available to any business that needs them. Just takes a few months to go through the compliance process for an identity verification company. See https://cognitohq.com/docs

Regarding it being a password, yeah that is pretty bad. Some friends of mine are working on Bloom (https://hellobloom.io/) which is trying interesting things that hook into the real world (necessary) while also trying to create a better system eventually. Basically, an ID you control with a private key is approved by identity verification services. Your friends basically vouch for the ID being correct. Your identity is tied to that ID. If you lose the private key then you have your friends invalidate the old ID and transfer their vouch to your new ID. Way better than just a secret number.

I suspect just requiring people seeking credit to just have to come personally to a bank with a photo-ID, a pay-stub and have to confirm they have access to the postal address they have on their ID would solve it. This wouldn't by any means be foolproof (after all, half the highschool students in the US manage to get passable fake IDs), but the fact that it would increase the effort to open lines of credit, slow down the rate at which you could open new lines and increase the risk of getting arrested when you tried would, I think, shift the risk and reward balance on most scams to the extent that it wouldn't be worth it to the scammers anymore

> That would put an end to banks and such trying to use them as a way to verify identity.

Obviously it should so - but obviously, they shouldn't be using them in the first place. Doesn't seem like it would stop anyone - possibly for regulated entities like banks, maybe - but even then, they'd probably have to be dragged, kicking & screaming.

Yea, but if they were literally all published publicly, banks wouldn't even be able to pretend they provided some measure of security. Though of course whatever banks use as a replacement may be equally bad

I think Equifax just did that for them.

Just to make a pedantic point, SSNs do not indicate US citizenship or nationality. Permanent residents (green card holders) and those on temporary work visas receive SSNs.

The cards used to have "Not For Identification" printed right on them. This has been a known bad idea for decades but we just decided to do it anyway.


So little faith in the US government to do this with the least bit of efficacy. It will be contracted out to a big firm, for a ton of money, with project overruns, budget overruns, and in 20 years will probably still be using SSNs while they continue to fix this new system.

The US Digital Service is supposed to be pretty good these days. It might turn out better than expected.

It will probably build off the already deployed login.gov which appears to be a service built with modern technologies and practices.

This is simple, I just need a government issued public/private key, a government username/password, a government OAuth servuce and a government mobile authentication app.

Most people won't even need to know the public/private key exists, but techies can leverage it to automate their lives some day.

Let's say I want to open a bank account with bank X. So I go to bank X's website and click open an account. Select my country and it redirects me to an oauth login page for my government. I log in and authorize the bank to view my basic identity info. Now the bank knows who I am and I can finish opening the account.

For in-person interactions, I could have my phone scan some person/company's public key in the form of a QR code and generate a qr code of my own that will let that company instantly authenticate me (airline, cruise line, police officer, etc.) with the government, but that same qr code will not do anything with any other person who sees my code because it is encrypted with the company's public key.

My government password can be reset if compromised and I never have to give out to anybody which puts it miles ahead of social security numbers from day 1. My phone is secure if lost, because it requires my government password to unlock the app as well as some biometric information.

What about those who do not own a mobile device, or those not comfortable with technology. We live in a large country, and we must have support for ALL of our citizens, not just our younger tech-savy ones. Go to a community of 65+ year olds and explain this to them. You'll get back blank stares. its a non starter.

> not just younger tech-savy ,,, 65+ year olds

> those not comfortable with technology

Or those of us that are comfortable with technology refuse to carry tracking devices in this post-Snowden world.

The internet is already creating far too many interdependencies that will have unforeseen consequences and create the risk of cascade failure. I strongly recommend to anyone that wants to tie something as important as government services to the internet that they listen to Dan Geer's recent-ish talk[1][2], and maybe reconsider the kind of future they are trying to create.

[1] https://www.youtube.com/watch?v=hcIiD4UUDE8

[2] http://geer.tinho.net/geer.source.27iv17.txt

Start the conversation with

"Have you or a loved one ever experienced identity theft?"

"How long did it take to get things fixed?"

"Since your social security number never actually changed, what's to stop you from having new issues 5 or 10 years from now?"

"The cost of a pay-as-you-go phone can be less than the cost of "Identity theft protection"

If that doesn't work, let them opt out.

Make it opt-in. Anyone who isn’t comfortable with the change can continue to use their SSN.

Every business will then continue to just use social security numbers since everyone is guaranteed to have one. Half measures won't work, that's how we got here in the first place.

Opt-in for the customer not the business.

I got that. So everyone will have a SSN and only some people will have the new thing. My point stands. We have lots of evidence in security that this type of suggestion leads to problems, see for example export-grade crypto.

OT but can be filed under "Falsehoods programmers believe about Social Security Numbers": SSN's are unique per person.

A friend of mine worked on a shareholder database for AT&T back in 70/80's and discovered this when they tried to make their SSN column unique.

Why does AT&T need to store SSN's at BT improper use of NI numbers was a gross misconduct case.

AT&T issues dividends to shareholders. Dividends are taxable, and must be reported to the IRS with the shareholders' tax ID.

Now, AT&T also asks for account holders' tax ids, which the use to pull credit reports, and to report on credit activity.

Multiple accounts belonging to a single person, or the same SS number for different people?

Same SS for multiple living people. It's also kind of amazing that the AT&T shareholder database was large enough to have dupes.

Doesn't the birthday paradox/pigeonhole principle apply here? If we assume that there are 1,000,000,000 unique values, then the square root of a billion (31,622) is all you need for a 50% chance of collision.

That's only if SSNs are randomly assigned. They aren't.

The issue is people are giving AT&T incorrect SSNs.

Post-2011 they started making them random.

Name + DOB + SSN are mostly unique. No guarantees.

Throw in Place of Birth and cross your fingers.

I'd addressed that a week or few back regards account security questions. A big problem is that there are only so many place names in any country, and of those, a relatively small set with birthing centres.

There are 248 birthing centers in the United States, and only about 1% of all births occur outside of one (typically a BC is at a hospital).


I think you are reading that wrong. There are 248 freestanding birthing centers that are not attached to hospitals. 0.4% of births occur in birthing centers. 0.9% occur at home. 98.6% of births occur in hospitals. There are >5000 hospitals in the US.

A survey or count of maternity words, or labour & maternity centres, or ... whatever else they're called now ... is rather hard to come by.

This long HuffPo piece profiling the problem ... manages to specifically fail to answer that question, though it does note that "more than half of all rural counties in this country are now without a single local hospital where women can get prenatal care and deliver babies."


This list suggests there are 1627 rural counties in the US. So at least 814 of them lack a birthing facility (hospital, clinic, etc.) of some stripe.


There are 3,142 counties total in the US.


Ah, that could very well be the case, as the number sounded somewhat absurdly low. I was trusting in the source, and definitions weren't particularly clear.

I'm not sure every "hospital" itself has a maternity ward, given my familiarity with several specifically in outlying areas (many are not much more than glorified first-aid stations, without permanent resident physician staff -- that happens to be how I'm principally aware of them).

But we're down to something on the order of 2500 - 5000 facilties, now, which remains a pretty low count.

Doesn't the SSN already encode the general area where it was issued (usually place of birth?)


It did, by office (through 1972) or ZIP Code (through 2011), but not any longer.

If you are on HN and have a randomly-assigned Area Number on your SSN, you are, however, precocious.

SSN's were never meant to be used for identification purposes like they are used today. They were designed only to be able to make a SS benefit claim when you came of age to help prove you are entitled to the benefit. That's why they gave you a physical card. Combined with your other, regular identification (if requested), you can prove that you are the person you say you are and the benefits available to you have already been recorded. The SSN itself should never have been used in lieu of proper identification.

Does everyone really need an unique digital identifier?

My feeling is, "this is probably you" is good enough for nearly every transaction people will perform. And we've long had a system in place to deal with the special cases in which this is not good enough: notaries.

Financial companies need to come to terms with this fact and accept insurance against its exploitation as a cost of doing business.

For taxes and other government documents, we should all move to a tax id system, like businesses use.

Absolutely not for each and every transaction. There are a certain set of activities for which a 1:1 association is highly preferable, though voting is about the most extreme case. For various reasons, there are both problems with trying to create a voter-ID system, political resistance to this, and relatively limited call to do so in the first place (in-person fraud is expensive, risks elsehere are far greater).

Much of the remaining argument revolves around credit and risk, and around advertising and tracking. I'd argue that the first does not require single-ID tracking, and the second should under no circumstances be allowed to institute it.

Much of the remaining space is national accounts types stuff: tax, pension, and medical authorities, passport/border control, some licensing (much of that at the state/local level).

But yes, at the national level, there is a call for 1:1 account assignments, though those need not be unified across all services.

This would be amazing if done correctly. With modern crypto there's a world of options to enable things like identity validation, attestation, and delegation without giving the keys to your entire identity. It'd also be a perfect candidate for an RFC style process.

Unfortunately this is the Federal government we're talking about so the chance of it being completed in any timely fashion are slim.

Has the UX been worked out so that disinterested people can successfully and reliably do all that stuff without leaking their private keys?

There will be roughly 300 million disinterested users, making it work reliably in that scenario is important.

I think it could be done with something like a smart card. Most people are terrible at remembering secrets but pretty good at not losing their keys or wallet.

Combine that with X forms of id to issue a new smart card (like passports today) or pre-delegation to M of N trusted people to vouch for you (ex: you could delegate choose two of mom + data + brother) and you cover the majority of the population.

The key will obviously need to be stored in a physical token of some kind that's designed to prevent the key from being extracted. Kinda like how U2F and Smart Cards work.

And somehow you're going to have to accept that fact that people are going to lose their keys. You're going to want to make sure you can properly reissue one to the correct person.

This is already a completely solved problem in Scandinavia. You get a key card in the mail full of single use codes. If you lose the card, you call a number and they void the old card and send a new one. If you use all your codes, they send you a new one. It works fine.

The mailed code list is being phased out since there's no guarantee somebody hasn't opened your mail, taken a picture of it, and put it back.

Being replaced by what?

What happens if you lose your key card and your code list?

"If you lose the card, you call a number and they void the old card and send a new one."

How do they know you are who you say you are? What's stopping me from calling them and asking them for a new card on your behalf?

Is there anything that you can do that causes them to "lose faith" and requires more substantial proof?

What if you move? How do they verify your address is yours?

Key issuance and revocation by centralized authorities is a problem the X.509 PKI system has been dealing with for decades now. Shouldn't be too hard to create a similar system for personal identification.

So what _should_ we replace SSNs with? Obviously some kind of system based on asymmetric cryptography would be ideal, but what system, specifically?

There are a lot of competing concerns here, not the least among them being privacy. For example, if a system based on public key cryptography becomes commonplace in the US, will websites start using that same system for authentication? There are some rather significant privacy issues associated with having a government issued, globally unique ID associated with your account on random websites.

Maybe this is something the tech industry in the US should be involved in? I imagine lots of companies would jump at the chance to be involved in a standards group designing a unified method for citizen authentication in the US.

Maybe we don't need a unique id at the federal level after all. Financial institutions are already required to follow KYC (Know Your Customer) laws. For this they need a way to validate the identity of the customers they do business with. I guess they already have enough ways to do this without relying on SSN or a potential national id card.

BTW, after the Equifax hack, financial institutions should be mandated to stop trusting SSN as proof of identity.

I'm thinking of the number of government-level identifiers which might be needed / used:

* Tax authority (TIN).

* Pensions system (e.g., SSN)

* Possibly a voting ID, though that's fraught.

* Military or national service ID.

* State tax ID.

* Drivers registration.

* Real estate / property ID.

* Medical records ID.

* Social benefits ID.

* Other registrations, e.g., weapons, broadcast licenses, etc.

This is a major concern of mine as well.

For some purposes, there's a need for a single identifier. For others, various counterparties only need to agree that they are talking about the same party. Creating paired (or multi-part) keys might work for that. (This could also cut down on the rampant and promiscuous data exchanges that occur currently, particularly if the subject of the data had to participate in the making of any such shared identifier.)

For the general case of online identity, I'd really like to see the concept of an identity manager, with various policies which could be set, both as defaults and with specific counterparties.

As an example, I might have a policy that "all sites default to a one-time session identifier which is destroyed after 24 hours". This gives a stateful history for 24 hours, but a clean slate afterwards. It should be enough for basic site navigation, but not for deeper interactions (e.g., posting inane comments to HN). The periods might be longer or shorter.

For a select set of sites, persistent IDs might be presented, but specific only to a given site.

And where necessary, a set of sites might have a common ID. Say, a cluster of systems used for work purposes.

And if needs be, you might have a limited set of systems -- your government pensions account, tax systems, and voting registration, say -- which link to a specific government-issued ID.

For such a system, I see a physical token (I'm partial to very-near-field chips in a worn form-factor, say an NFC-ring), some additional input (password, passphrase, possibly biometrics), and then, by way of an identity management system (probably on a local device), the identity assertion specific to a given service is offered.

There are any number of other elments to this, including the problems of deanonymising data and such. For that I see legal reforms coming into place, which is a longer discussion.

In the Nordic countries we have 2 factor authentication with your bank used as means of authentication. See for example BankId in Sweden. Tools like this reduce the use of SSN to a username instead of a password like it should be.

I see talk in this thread that uses the term 'private key'. Which makes me think about using a literal cryptographic private / public key combo for this sort of thing.

Say I have a private key, and I want a business to have a way to ID me. They give me a key associated with me in their database, and I encrypt it with my private key, and give the results back. Now when someone wants to do business with them in my name they must turn those results back into what the business has in their database. So long as I keep my key safe the business can leak data all they want.

This would shift all the work for security over to the citizens though, which could have mixed results...

And what happens when someone's private key leaks? Do they have to get issued a new one somehow? If someone has gone through 7 private keys, how do you know that the one person-claiming-to-be-someone is giving you the most up to date one vs an older one, etc.

There would be a lot of non-trivial considerations by pushing all this on average joes (both as individuals and as people attempting to verify individuals).

A system that appears secure but isn't is more dangerous. I can hear a 60 year old now: "Aunt Claire is stuck in london and needs money! We know its her, here's her [expired key] encrypted message!"

To prevent re-use of old keys, a key-revocation protocol should exist. There's an existing (though pretty crufty) version of this in PGP, though it relies on keeping your revocation key safe, which is a bit of a stretch as that's something you need ... once.

A "bad keys" registry might be a useful / necessary thing.

Enforcing a regular expiry might also be an option, though ... you'd have to think through that. Keep in mind that technology is continuously improving (or at least has been to date), and there might be a circumstance in which All Keys Suddenly Go Bad, which would have to be dealt with.

(Figuring out ways in which to make such situations Less Obviously a Shitfest could be ... useful.)

When I've very roughly scoped things out at Google Scale (> 3 billion registered Android profiles), and made modest assumptions such as 1% of users lose their token annually, you're looking at ~10,000 resets per day. So you'll have to have provisions for doing this in any system that's intended to be in the least part useful.

As for attacks, I'd strongly suggest finding a good reference of 19th century financial frauds and reading through it. The fundamentals do not (generally) change.


That is a solid question. The optimist in me says 'well if the private key is leaked we're in about the same spot we are now with SSNs'. Every other part of me just cries.

In regards to "which version do we trust if a new key has been issued?": My gut says there would need to be a centralized system to for which ones have been voided, and which ones haven't. At that point what we're doing is making SSN's that we can invalidate, with the added disadvantage of being much more confusing to work with.

I have no idea what the right answer is, but Aunt Claire is (possibly) in need so we need to figure this out fast.

As a user above stated, use an oAuth service from the government. When at a business you could "prove" to their system who you are by authenticating with the govt service with your private key (most likely on a smart card like the military's CAC card). The business then gets an oauth token that you could revoke.

If you lose your private key you would have to go to some government services office and bring additional documents to prove who you are just like a passport.

Basically you give the user a device that has the private key, but never exports it. eID uses this: https://images.duckduckgo.com/iu/?u=https%3A%2F%2Fimage.slid...

People lose their phones, wallets, and keys all the time, and these are things that they constantly use and check for. What chance does a "little device the government gave me that I don't use very often" have?

Making the device something that is used often is actually a good way around that problem. It's a bit like housekeys. It's not so much that you can't leave without them, but it's a bit hard to return, so you tend not to leave without them....

I'm strongly partial to a worn form-factor. A near-field-chip ring, essentially a modern signet ring, which interacts with various authentication systems, strikes me as attractive.

I've written here on HN before that it should be a device that is issued that has the private key, but that private key is also hashed with a pin and some piece of biometric data. The pin itself would be changeable (forced every 90 days, at will anytime). The device would have a keypad.

You would go down to some place (govt office) to get the device (card?). They would take the device, pop it in a reader/writer, and the device would ask you for a key and your biometric data (maybe a fingerprint?). The device would have on it a keypad and fingerprint reader (or whatever). Once you typed in your pin and scanned your fingerprint, it would generate a private key, hash all three together and store it in the card. This key would be "permanent" to the card (if you lose the card, you have to get another). The key wouldn't be saved anywhere (not in a govt database, etc). And it couldn't be retrieved from the card.

To prove your identity, you would slot the card into a reader, swipe your fingerprint, type in your pin. If your pin and fingerprint plus key on card hashed matches the stored hash - then you are identified and the card outputs a "true" value to the reader. Otherwise, it outputs a "false" value indicating no match.

Multi-factor auth - something you have (the card), something you know (the pin), something you are (the fingerprint/biometric).

That's the basic gist or blueprint - essentially an ID card that can't have it's id read (not easily at least - I imagine that you could read it with proper decapping and electron microscopy), with a built in keypad and biometric read sensor in one unit. Anywhere you need to do a transaction to prove yourself, you need to use a reader (even online - so as a part of you getting your card, you would get a reader too).

There's probably a ton in the scheme that I am missing or have wrong, but I think the basic idea is there, and I think it is possible to do with today's technology. The idea is that just having the card alone isn't enough. Just having the id number/key isn't enough. You need all three pieces for it to work.

It isn't "rubber hose" proof - but then again, not much is or can be.

> The pin itself would be changeable (forced every 90 days, at will anytime)

You have now destroyed any security this device has, as no one wants to create a brand-new PIN every 90 days, no matter how much or little entropy it has.

Changing passwords on a regular basis as a security best practice has been debunked for years now. Even NIST is (finally) on board, saying that forced regular password changes should not be used in an attempt to increase security.

Your password/PIN should be changed iff there is reason to believe it has been compromised.

> I encrypt it with my private key

Don't you mean with your public key? Pretty sure encrypting things with your _private_ key is pretty unusual. (Unless you're talking about digital signatures with RSA.)

I think I am? I have no idea. I have a relatively weak understanding of cryptography.

You would sign the value with your private key. That enables verifying the signature against your public key.

replace it? SSN has one purpose, and that is to identify our national social benefits account. that's it, and it works for that.

but we don't need a national ID. at all. the tracking that will most certainly accompany that is diametrically opposed to the concept of a free people.

banks take a risk with every account and every transaction. it's up to those institutions to figure out how to manage that risk, without obligating all americans to give up their hard fought and valuable constitutional right to privacy to make it easy for them.

SSN in fact does not work well for that.

There are fewer than 1 billion unique SSNs. Yes, there are 8 digits, but there are significant ranges of invalid values. The Social Security Administration will run out of numbers within a few decades, at most.

It's one thing to have enough values to assign everybody. It's another for the namespace to be so densely populated that any randomly-chosen value is likely to be valid. This ... creates problems.

There are no check or validity values within SSNs. There's a structure to the digits (Area, Group, and Serial numbers), but even those are at best vague, there've been three regimes of assignment (< 1972, 1972-2011, and 2011+), and other than "this value isn't within a validly assigned range", there are, again, no validity checks.

Provisions for being issued a new SSN are at best cumbersome.

That's just off the top of my head. I've worked in large-scale data analysis and processing, though years ago, and there are long and detailed discussions of the limitations and failures of SSNs even just as account identifiers.

Using them outside the SSA only compounds those issues.

you make good points. in my head, i had simply equated "works for that" with "good enough for now".

it seems even for just social security, the SSN numbering system could use an update, integrating everything we've learned about identity schemes in the last 100 years.

Am I crazy, or is this backwards? Keep SSN for retirement benefits, and only retirement benefits.

Ban SSNs as identifiers with private companies not affiliated with providing retirement benefits.

Problem solved.

There's still the question of a standard for financial identifiers.

And as I've commented elsewhere on this thread, SSNs themselves actually do have numerous problems and deficiencies, even if confined to the SSA.

Is anyone else suspicious that this could be a backdoor into identifying undocumented workers in the country? Could this be used as another way to purge certain classes of voters from the roles? Social security numbers are fairly easy to "borrow" but if they are no longer accepted for employment documentation or voter registration, it leaves the door open to a much stricter set of rules to obtain whatever new ID is created.

Everyone, including undocumented workers, are already thoroughly, completely, exhaustively tracked.

Replacing SSN would daylight this fact, exposing an inconvenient truth.

Can you explain this? If I apply for a lease how does the Fedral government know or block me?

If I need to authenticate through their system the Federal government will definitely know.

I didn't follow the leap from undocumented workers reusing SSNs to applying for a lease.

That wouldn't be a "backdoor", but rather the system doing its job correctly. However it's obviously not the main goal.

The Keybase folks should seriously consider getting in on this. There are not many groups I'd trust to design something cryptographically sound and friendly enough to be useable (both for citizens and the government - you need at least two tiers so WHEN the inevitable private key leak happens on the government's part, it isn't the master key kept in cold storage).

Now all they need to do is replace birthdays and past addresses.

You gotta love the idea of personally identifying information, known only to you and three large corporations.

Core issue is not that solutions do not exist, but that the average person simply does not care about security.

the average corporation does not care about security as long as someone else is paying the price. moreover they actively drag on security best-practices if they increase costs or introduce any friction whatsoever into consumer purchases. one of the reasons why we don't have CHIP+PIN in the US

There are a lot of things the average person simply does not care about as regards standardisation, or codes, or laws, or procedures, which government (or other entities) manage to find solutions for.

I would actually put that concern near the top of my list of things that is not relevant to this discussion.

I have plenty of reservations about Big Tech, but why can't Google bid on this? Sure we'd get ads on the ID card but at least they'd get the math right.

You've just rediscovered the premise of David Eggers's The Circle


We're already a lot closer to George Saunders' My Flamboyant Grandson[0] than that.


Maybe not Google specifically, but I'd love it if the industry got involved in this somehow. Maybe a standards group like the Internet Engineering Task Force or the FIDO Alliance to work out the spec.

I'd commented to the same effect earlier on Google's own Identity Service: Google+.

I think Google's dropped the ball, badly, on identity and authentication (though they're ... making some movement with physical 2FA).

I've got massive misgivings myself about private tech firms getting into this space, though I do think they might have useful elements to add by way of suggesting protocols and standards. And I'd be really suprised if various majors aren't part of the discussion. Google, Facebook, Microsoft (remember Passport?), Oracle, IBM. And databrokers such as ADP. Plus banking and financial institutions, who've mostly created the mess....

An Apple ID card would be a lot less dystopian. (And would look cooler).

I dunno, a lot of dystopian science fiction has the veneer of shiny, and you only find the horrors when you scratch through this shiny surface.

The timing of login.gov (www.login.gov; https://fcw.com/articles/2017/01/19/login-dot-gov-mazmanian....) going online is convenient...

The world's moving towards a biometrically backed public-private key pair. Hope this is considered

I don't understand why people want to use biometrics. It's extremely insecure.

It's a very natural fit for ID (not password)

But also irrevocable once someone find a way to duplicate it in the eyes of the usually not that well designed system it's actually used against. It's even worse then using birthdays as a basic for IT numbers in that regards.

Not really. What I want a (mostly anonymous) ID?

you can't rotate biometry if its compromised

May be worth it for in-person reclamation of identity. Use biometrics only when acquired in person.

Beats having to dreg up my high school year book, social security card, birth certificate, and high school transcript (None of which are actually inspected of course).

How do you defend against / defeat replay attacks?

In person? When you're actually seeing that it's their thumb and eyes that are being scanned?

How do you, as a third party, know that the validation occurred in person?

How do you defend against replay attacks?

So you agree that if it is done in person, it'd be difficult to fake?

Biometry for verification of identity, not verification of intent.

Once you verify they are who they say they are, you can do a second step to verify they actually intend to do some secure action.

Techmeme summary: Rob Joyce, the White House cybersecurity czar, says it wants to end use of Social Security numbers for identification and is examining modern alternatives

Federal government buys Twitter and makes your twitter handle your national identifier. I'm sure Trump is fine with that.

In practice, doing public/private key instead of SSN would likely work like the EMV cards, right?

It would require having a central authority that holds, or at least authenticates, all the keys, which many might not like.

That's actually a really good, and complex, question.

It might be sufficient to have an authority which ensures there are no duplicate numbers issued, though that doesn't get around the problem of a single individual with multiple assigned numbers.

In practice, there are methods of determining with a fairly high degree of accuracy whether or not two or more identifiers might indicate the same individual (or at least two very closely related individuals). But if you're looking for a 1:1 signifier-subject relation, you'd want that system to be quite good.

Well too bad? I'd much rather have a central authority holding the keys than "oh shit, my private key was compromised, lol guess I'm going to be paying off a lot of random credit card bills for the next 50 years."

The SSA that exists now would be able to validate public keys and reissue keypairs, which would absolutely be necessary. So we'd still have the same central authority, but the numbers they give out would actually be useful.

Sorry, could you clarify?

I'm presuming this EMV card: https://en.wikipedia.org/wiki/EMV

Hmm. Almost makes you wonder if maybe the people who hacked Equifax work for some secret branch of the US govt, just so that they could force some sort of change like this down our throats.

You know, the situation is really bad when the people you used to think were conspiracy nuts now seem to be people who weren’t thinking in big enough terms.

Replacing it with something more closely approximating a national ID number will run up against religious beliefs that such IDs are Satanic and portend the End Times.

Just because you do not share such beliefs does not mean they do not exist, or can be dismissed.

"Great anger" -The damned President, encouraging his people into further divisiveness.

Yea no fucking way I'm supporting this admin in cataloging anyone.

No mention of blockchain anywhere in the comments. Color me surprised.

"Make the stupid comment you expect to see in the world" - Mahatma Gandhi

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact