"... we need a new personal identifier, SSNs are all stolen at this point"
Though identity and authentication should be different things, as an identifier the only real problem with SSNs is that we should be using UUIDs instead.
The hard part is authentication, which should have a far more secure process than merely knowing 9 digits everyone (re)uses.
Maybe it would be more clear if I used some examples.
Identity: mjevans on news.ycombinator.com
Authentication: is allowed to post as (Identity), is allowed to vote on things, etc.
Identity alone should not imply authorization, when someone is asking for a proof of identity what they really want is a record that you are actually an identity (authorization).
SSNs are much too short, and were mostly issued in a foolish and predictable way (if you're a kid you might have a random SSN but most Americans still have ones issued the old way). Given the US plausible population load, issuing a randomly chosen 12 digit number incorporating a check digit would have been a better start.
But the authentication problem is the tricky part though, governments don't have a reliable way to authenticate their citizens today and even if you have a good will intent to fix this, that can be hijacked by people with less saintly motives. See India or China for how that might not go well.
The Netherlands has a digital government sign-in ("DigID") which works very well, secured using text messaging or 2 factor auth. With it you view all of your official documents across all branches of government. It allows for delegating permissions (say between a married couple). It's really great and shows that with competence these systems work out great.
I think we need a worldwide, federated identity system.
There should be multiple identity providers, mostly governments and organizations who already have lots of info about you, for example banks. This already works in Poland and several other european countries. Such organizations should verify that you are you the way they currently do, and give you a way of authorizing yourself, i.e. sms, mobile app, one time passwords etc. If someone needed to verify your identity, they would go through your chosen org for authentication. This approach has several benefits.
1. You can provide as much or as little info as you want.
The info you provide could include true/false assertions. For example, a porn website could just ask the org whether your age >= 18, without the need to know your exact birthdate,. Same for citizenship, disability, criminal record etc.
2. You can easily integrate that with other services, for example payments or even a secure communication channel, letting companies contact you without learning any details about you. There could even be a secure shipping service, where the company selling you the product only gets a special qr code to stick on the package,. Only one shipping company would get your real address, the rest would just know the next leg of the route.
3. You could provide instant "not a robot" verification, without any captchas, without any personal data and without any hassle. The authorizing org would just give the requestor a token, different for each visit, that they could send with a "add to blacklist request". The next time a blacklisted user would try to log in to that service, their org would refuse to provide the token.
4. Ability to provide legal accountability without rewealing anything. The authenticating org would just provide a token to a service. The user could do whatever they wished, but, in case they'd do something illegal, the police could just force the org to actaully reveal who was behind that token.
Of course, the system would have to be regulated by a global body of governments or organizations. Each org would have certain resoponsibilities, i.e. allowing you to port your id to somewhere else, not requesting more data than necessary, honoring blacklists etc. If that system existed, implementing a safe, seamless online and real0-life experience would be trivial. Just imagine if it would be trivial to trace each website, each comment, everything to a real person with a court order, while not giving most companies any data whatsoever.
If we had a worldwide, federated identity system, there's a problem with this I can already see: what's stopping nation's like China from expanding their social credit system to the population of the world then, against their will for example? For what purpose, I can't know, but it doesn't seem ideal.
On one hand, it would be incredibly useful to only ever have to deal with one service or standard for identities (and that could include the possibility of making things easier for identity theft products to do their job) but it brings with it these other risks around centralizing that kind of information.
Trying to control data by by format restrictions seems a little iffy.
If you offered a "isOver18" call to avoid exposing an actual age or date of birth record, you'd have to offer a whole range of others for a lot of legitimate needs (isOver21 for alcohol sales, isOver59.5 for some retirement account stuff, isOver55/60/65 for senior discounts, etc).
You could chain a bunch of those to at least pull a marketing-sufficient age category, and potentially a full age or DOB depending the number of such functions offered.'
If the identity providers asked users each time for consent a verification request cane in, that could limit that abuse pattern, but I suspect it would be the sort of thing where users got notification fatigue very fast and just start clicking "don't ask me again".
The only difference is that Google doesn't provide identity verification, only identity validation when you have previous knowledge of a Google account being associated to a user account.
I would love it if emails were typically gathered by OIDC scope requests, and the provider would always provide an email address that could be traced to the audience. Something like mail@{ENC(sub + aud)}.oidcp.com.
Can we calculate reproducible cryptographic private keys from fingerprints?
If you solve that, you'll unlock an entire business model centered around "anonymous entities that can be regenerated at any time using a biometrics booth at the mall and a secret passphrase known only to you".
Biometrics are relatively convenient and very safe when they're used in place (not remotely) with a human agent overseeing. No cops have ever let a suspect pop out to buy a 3D printer and some custom moulds before taking their prints. The airbase's gate guard isn't going to let you substitute a custom-made adversarial JPEG image for your face after asking you to roll down the window even though her normal job is statistical analysis and she has never fired that weapon she's carrying in anger.
They're not great without supervision and they're completely hopeless remotely.
There are some limits in linking it to existing identifiers like names or SSNs. However, that doesn't matter because due to its nature, the phone leaves a trail. Any serious abuse can be punished.
This is a terrible, TERRIBLE idea.
Especially for people who move a lot.
Phone numbers get reused. I am currently maintaining 4 SIM cards just to keep services relaying on them active. About 2 months ago I forgot to recharge one of those SIM cards and was locked out of one of my bank accounts.
India has a sim card system like this, but it is actually even less secure and shockingly easy to game. That's not even counting for the fact that not everyone has a cell phone (a minority, but still exists).
How do you game it apart from stealing a phone? It may be easy to get another identity but that's a feature.
If somebody commits a serious crime, the joined location of the phones will reveal the true identity unless somebody invests an amount of effort that's equal to buying a new passport.
So you get several identities. How do you game the system?
Intelligent agencies have failed to keep their phone usage cleanly separated. It's not that easy.
E.g. if you want to avoid progressive income taxes by registering several companies, your burner phone stands out because it doesn't have any other contacts. That will be further investigated.
Then you need the name of a living person who doesn't use a mobile phone to register it because otherwise, he would operate two phones at two different places. Another red flag.
UUIDs are a terrible idea, as you're completely ignoring the UX of SSNs (short, just numbers, easy to remember, structured, etc.)
SSNs are account numbers, and only account numbers, for your social security benefits, not an all-purpose resident identity number. they've only been co-opted to be such identifiers because everyone wants to piggyback on, and not additionally pay for, the extra measures the SSA has taken to uniquely identify workers when granting the numbers so we can't easily steal each others' retirement benefits.
tl;dr: SSNs are (financial) account numbers, not people identifiers, and should be treated like bank account numbers (for example).
This will never happen in a useful fashion at the federal level unless the Republicans get the house, Senate, and Presidency again and don't waste the time bickering with themselves. It would have to be implemented on a state by state basis. A national identifier would be able to exclude illegal immigrants too easily for the Democrats to support it. Over 1/3 illegal immigrants in America use ssn's of other people, most stolen but some belonging to friends or relatives. I realize this might seem inflammatory as a post but this simply isn't a situation that can be removed from American politics in this instance.
Edit: And for people who think I'm making this up, the GAO literally inquired with the IRS about the fraudent ssn use matter.
Edit 2: Lots of metric input but no comments. If you're browsing idly, let this be an example of HN culture for you.
Each state has different laws about how people need to be notified about data breaches. U.S. mail is generally the lowest common denominator across states. See https://info.digitalguardian.com/rs/768-OQW-145/images/the-d... for more information if you're curious.
As more Social Security Numbers are leaked from security breaches like Equifax et al - I have done a deep dive into all things publicly known about SSNs and published the results on a hobby site (with limited ad revenue to cover the server cost) to both educate myself on the historic data contained in a social security number, how its usage has changed throughout the years (enumeration at birth in the 80's for example) and then how finally the state and date information was removed around 2009 so that numbers are now randomly assigned. For those born before the 2010 - there is a real information encoded (or deduced) from your number beyond what most are aware. If you are curious what types of information a hacker could deduce, or additional ways your SSN could be mis-used if disclosed (or guessed) take a gander at
Unfortunately, C Corps are affected, too. I created a C Corp through Atlas and was hoping that I dodged this issue, but I just received the notification of the breach in the mail today.
Why was Stripe sharing something as critical as [SSN+Name] with a third party? If Atlas is simply a white labeled service of another service, then I hope it was prominent in Stripe's communication with customers/potential-customers. I say this because the market has many competitive offerings in the space, and among the primary reasons to pick Stripe is the assumption of better security, given it's multi billion dollar venture funding and valuation
Strange to not see an official statement and post Mortem from Stripe mentioned anywhere. Can someone who got a letter post a (redacted as necessary) scan of it?
If anyone needs a Stripe Atlas alternative that doesn't require SSN and also less expensive ($350 vs Stripes $500 + $400/yr) check out https://www.blook.io/stripe-atlas-alternative
You can just buy 1000s of high-credit profiles located in the wealthiest zip codes for $1/pc max (I’ve seen prices below $0.1/pc but I suppose this is a special request)
As a Stripe Atlas customer, I received a snail mail letter from Stripe about this issue. It included some suggestions from them to prevent identity theft.
As I texted a tech friend of mine: if I’m receiving a physical letter from a leading tech co like Stripe, then it’s at least a moderately serious issue.
"... we need a new personal identifier, SSNs are all stolen at this point"
Though identity and authentication should be different things, as an identifier the only real problem with SSNs is that we should be using UUIDs instead.
The hard part is authentication, which should have a far more secure process than merely knowing 9 digits everyone (re)uses.