> For the public system, assign to every participant a true unique identifier, rather than the SSN which explicitly states should not be used as such.
This will work for a time, but what happens when the next breach occurs? How do people renew their UUID's? Expire compromised ones?
> For those citizens that do not want to register in this way, allow for physical authentication at physical locations.
Physical authentication probably means fingerprints, face data, correct? These are already compromised. Worse yet, they cannot be changed.
CCTV cameras are everywhere, and getting better resolution each day. Face authentication can be easily duplicated - some of the early versions of FaceID (by Apple) were broken by 3-D printing a mask . Furthermore, some organizations are already compiling a list of "face data" that can be used to fool sensors and other biometric tools. By the time "face readers" are widespread, hackers will already have large pools of face data to use to hack into these systems.
There are other cases where fingerprints have been printed using a 3-D printer and have broken security of mobile smartphones . What's to say whatever government issued terminal won't be broken in a similar way? Furthermore, it's not easy to expect people to guard their fingerprints: every glass they drink at a restaurant will have their fingerprints. I don't expect to shed my SSN whenever I order a pint at my favorite pub.
SSNs are a poor form of authentication because they're ostensibly secret but re-used everywhere. It's just like a password in that regard: no password is secure against reuse, no matter how strong it is on paper.
A minimal change would be to allow/encourage single-use SSN-equivalents, generated on demand by a central authority. That is, someone would give a different "SSN" to their employer, their bank, the IRS, and their cable company (for credit check).
That still provides a point of vulnerability, but that
is far better than the current system where a single credit application form is a global compromise. If a single-use number is compromised, it could be easily revoked without affecting the person otherwise. Likewise, numbers could easily be generated with short expiry dates to make use from stored credentials impossible.
The UUID shouldn't be assumed to be private information - authentication should be built around the assumption that this identifier is a public identifier - like a name, but guaranteed to be unique.
> Physical authentication probably means fingerprints, face data, correct? These are already compromised. Worse yet, they cannot be changed.
Even if those are compromised, that doesn't mean it has to be easy to impersonate you. The solution may be low-tech - you may have to physically present yourself to a human who assesses if you are indeed who you say you are before opening an account. The higher tech solution physical authentication might require something akin to chip-and-pin or a (revocable) token generator a la Ubikey
edit: if the value of identity were to be elevated, then the physical security at these locations would be increased to the level of banks or cash-handling facilities to increase the cost of failed attempts at impersonation (to the level similar to attempted cash heists). Infact, the local phone shops should be barred/disincentivized from doing auth badly themselves and should outsource this function, just like they do with creditworthiness.
In that case, we already have this today: At the state level, most citizens have a Drivers license or State ID, both of which have a unique ID. At the federal level, all US passports have a unique Passport Number. Granted, not all citizens have a passport, but that system is in place to grant citizens unique identifiers.
And yet we still have identity issues. So this is part of the solution.
> Even if those are compromised, that doesn't mean it has to be easy to impersonate you. The solution may be low-tech - you may have to physically present yourself to a human who assesses if you are indeed who you say you are before opening an account. The higher tech solution physical authentication might require something akin to chip-and-pin or a (revocable) token generator a la Ubikey
This is a great idea. I believe France's healthcare system requires every citizen to have a card , which uses a chip and pin tech to authenticate the person with their doctor. This could be used for online services or over the phone too.
What the US needs is a branch specifically for administring these "identity cards". The Social Security Administration could be rebranded to an "Identity Administration" or something, then they will manage the distribution and revocation / recycling of these national ID cards.
But for some reason Americans get spooked when you say the words "National ID". Something about how "socialism is bad" and all that.
Do you really want to mandate that?
Valuing someone's personal information at $100,000 per person and then fining the snot out of companies that lose it seems like a much more "market driven" solution.
It also means that companies will work really hard to minimize any personal information at all--which is really what you want in the first place.
> This will work for a time, but what happens when the next breach occurs? How do people renew their UUID's? Expire compromised ones?
The unique identifier would be an identifier only, not something for authentication. But before you can authenticate any identity, you need a way to identify that identity. Hence I consider that a base-requirement. Then we need to build a system of authentication points around this identifier. Heck, if SSNs were unique just re-purposing those for the ID would work just fine.
No, I mean going to a physical desk and authenticating however you already can do this. This would be something like a valid government-issued ID and a birth certificate. Essentially, whatever is needed to get a passport, have the same system here. Because that is essentially your weakest link already. I added this option to appease the American fear of government tracking.
As for a proposal to fixing it, I would point to two systems.
* The Estonian system, where every citizen is given an ID-card that is also a smart-card with a public key.
* The Dutch system, which I am most familiar with.
Let me expand on how the dutch system (called DigID) works. Though I should note the system has flaws, and there are valid criticisms. However, it hasn't had any big failures. The system works as follows:
Anyone can apply for an account, at which point the government will mail you instructions for setting up a simple username-password based authentication. Key behind this system is the 'Basis register of persons'. It is a national database (maintained by the municipalities) of all legal inhabitants and some info about them. Most importantly for this system, an address. This is what makes it possible for the government to send mail to a citizen.
To my mind, the above system of mail could/should be replaced by a visit to the municipal administration, where your ID-card is verified. (Notably, everyone over the age of 14 needs a valid government-issued ID)
Obviously, implementing something like this in the US would be hard. Mostly because mandated ID-cards and a government database of addresses would not be politically acceptable. I don't know the details of the Estonian system, maybe that would require less invasive tracking of citizens
I'm guessing most European countries have similar systems of government-based authentication.
Really though, these systems start with knowing who your citizens are and being able to identify them. And should this not be a basic requirement of a government?