… is that they're treated as passwords instead of usernames. The three problems you list all have the biometric=password assumption in them.
See also using the American SSN usage: it's treated like a (secret) token, and so when it leaks it can be used to access sensitive information. Using it as 'just' a username would probably reduce a lot of problems as well.
True, but if I would need a secret as well, I don't see the benefit aside from not needing to remember a username. Some might like that for convenience, but I would always prefer memory in that case.
I think the current crusade against passwords is primarily motivated by different providers to advertise their ID schemes. Even needing a cert for something like Github is too much for me. I have no high profile repos and it might be reasonable in those cases, but I hope MS doesn't repeat the mistakes they made with their API access. The logistics of authentication is far too complex.
Aside from that I have seen people handling their keys that make you wish they would just use a password and cert logistics isn't trivial at all. No, you should not copy your key to our corporate file server... This is just the nerd way of gluing your password under your keyboard.
There's not quite an "algorithm"; SSN's are so short (it's just a 9-digit number, so max 1 billion unique SSNs) that they have a very simple procedure for assigning them. The Social Security Administration explains it here: https://www.ssa.gov/history/ssn/geocard.html
- The first set of three digits is called the Area Number
- The second set of two digits is called the Group Number
- The final set of four digits is the Serial Number
Certain geographic areas get certain "Areas Numbers", then Group Numbers are assigned consecutively, then Serial Numbers are assigned consecutively. This entire system of consecutive assignment makes it trivial to guess pretty well, or even exactly, what someone's SSN is.
This is a good change, but since it's not retroactive anyone born before that date (which is 100% of adults and probably roughly 50% of minors, who are likely not good targets for identity theft) are still at risk.
And it's still a problem since everyone uses it as a secret, not a username. So if leaked, you are still at risk. This is why the number realy should have been public from start so companies would not get the idea to use it as password.
From a security professional perspective, this is at least somewhat of an improvement, even if the entire thing feels like it's held together with a wish and a prayer. I would really like if there were a means to just institute an entirely new system. Essentially having one's entire life ruined, on the chance a bad actor can guess a four digit number is...not great.
From a genealogist perspective though, this is horrible news. Being able to trackdown people based off of rough geographic assumptions can help narrow down if someone is "lucky" enough to have a common name in a specific region. Of course, this change to SSN isn't nearly as disastrous as the death of paper - especially newspapers - but I really do not envy anyone who is going to try and do historical family research in two to three hundred years. It makes me cringe just to think about how much valuable information, how many life changing moments, are going to be lost to encryption, bit rot, and the constantly changing standards of software and hardware.
Doesn’t guessing someone’s SSN require that you need to know the numbers and assignments of some more people (who obtained it) in the same location and around the same time period? If someone tells you their name and that they got the SSN in a particular place and doesn’t reveal any other information, you wouldn’t be able to guess that, would you?
… is that they're treated as passwords instead of usernames. The three problems you list all have the biometric=password assumption in them.
See also using the American SSN usage: it's treated like a (secret) token, and so when it leaks it can be used to access sensitive information. Using it as 'just' a username would probably reduce a lot of problems as well.