The Equifax Hack Means It’s Time to Stop Pretending Social Security Numbers Are Secure IDs

If you’re an American, your Social Security number has probably been compromised. Even if it remained secure through years of massive data breaches, it’s quite possible it was included in the Equifax breach last month that affected some 143 million—er, make that 145.5 million— Americans.

At a moment when those nine-digit numbers seem less secure than ever, it makes sense to contemplate the alternatives. Why, after more than a decade of massive data breaches, are we still relying on Social Security numbers to prove our identities?

As the Social Security Administration itself eagerly points out in its fascinating (really!) history of Social Security numbers, these government-issued digits were never intended to be used the way they are today. They were introduced in 1936 for the sole purpose of tracking Americans’ earnings. Only gradually, through an unfortunate convergence of convenience and short-sightedness, did they turn into a crucial piece of information needed for everything from opening bank accounts to applying for loans, marriage licenses, and jobs.

As a tool for proving that you are who you say you are, Social Security numbers have some clear drawbacks. Everyone from banks to government agencies, credit bureaus, and employers keeps records of them, so they’re easy to find and steal, and easy to use once stolen. If compromised, they can be changed—but the process is neither quick nor straightforward.

The good news is that, in recent years, a whole host of new technologies for authentication have been developed and piloted by companies, researchers, and foreign governments. The bad news is that none of them would be a clear improvement on the Social Security number-based system we have now.

Biometric authentication is increasingly popular, with Apple announcing its new Face ID authentication system for the iPhone X, and India in the final stages of collecting fingerprint and iris scans for its entire population. But while it may be harder to imitate the unique composition your face, fingerprints, eyes, and voice than it is to steal your Social Security number, it’s not impossible. Researchers at NYU and Michigan State University published new findings this year on using fake fingerprints to bypass biometric authentication, for instance, and earlier research from the University of North Carolina looked at how Facebook photos could be used to trick facial recognition programs.

The risks inherent to any biometric system being operated at a national scale are staggering. Among other things, switching to such a system would mean trusting the government to be able to protect a database of everyone’s biometric data better than they did, say, the 5.6 million people’s fingerprint data that was stolen in the 2015 Office of Personnel Management breach.

Another alternative to using Social Security numbers for online authentication is behavior-based authentication schemes, which track things like your typical typing patterns to determine whether the person at the computer is really you. But these systems are slow, prone to error, and—like biometrics—difficult but not impossible for fraudsters to imitate. They’re also extremely difficult to change if compromised.

A more intriguing option would be to mimic Estonia’s system of providing citizens with government-issued e-identities. In Estonia, the national government actually issues people a set of cryptographic keys that can be used to confirm their identity using public key encryption. It’s an impressive set-up, though this summer researchers raised concerns about a possible vulnerability in the system, but it requires a great deal of trust that the national government won’t lose or misuse your keys. It also poses a number of logistical challenges that don’t scale easily in countries with populations much larger than Estonia’s 1.3 million people. The UK, for instance, when it tried to launch new national ID card and biometric passport programs several years ago, was forced to cancel the entire initiative in 2010 after spending 257 million pounds developing it.

And so, frustratingly insecure as they are, Social Security numbers almost certainly aren’t going away any time soon as a de facto identifier. That’s probably for the best, because they’re still preferable in many ways to the available alternatives. They pose fewer privacy issues than biometrics, are more reliable than behavior-based systems, and don’t require relying on the government to issue and protect our digital identities.

In addition, what makes these alternatives worse than Social Security numbers is that they might tempt us to our information more secure than it actually is. We would be less suspicious of people who produce the correct credentials, less inclined to believe people who claimed their identities had been stolen, and would quite possibly end up with a less flexible system.

Instead of trying to replace Social Security numbers in the near future, we can try to augment them. Just as multi-factor authentication systems try to build on existing and deeply entrenched password authentication systems rather than replace them, so, too, we can try to add additional layers of security on top of Social Security numbers rather than eliminate them. This means treating a Social Security number as only one piece of verifying someone’s identity and asking them for other information as well.

But that’s little help when an organization like Equifax, which does exactly that, is breached and all of that information is compromised. To solve that problem, we need to tackle the way organizations store and verify data entirely. Merchants with microchip card readers, for instance, no longer store your credit card number when you pay for an item. Instead, they authenticate your card and store a one-time code for the transaction that is of no use to criminals.

An analogous system for other services, in which organizations are able to ask for various pieces of information—including, inevitably, your Social Security number—and verify its accuracy without having to store that information themselves might help. But even that type of system could require some trusted third party that collected people’s information and was able to verify it; something sort of like a credit bureau, in fact.

As easy as it is to lose faith in all third parties that want to store your data, it’s important that we keep working on building better ones—ideally, ones that are more focused on security and identity management than credit ratings.