Privacy and security advocates have sounded the alarm for decades about the dangers of the United States’ over-reliance Social Security numbers. But serious discussion about what might replace them has become much more concrete in the weeks since Equifax revealed that attackers had potentially compromised 145.5 million Social Security numbers—along with other sensitive personal data—in a massive breach of the credit bureau.
But the question of what would replace Social Security numbers is easier asked than answered. There isn’t a simple and obvious substitute for the current system’s one-stop convenience. Whatever replaces SSNs would be a more expansive and nuanced approach, and while there has been some government research into modern identity-management solutions, there hasn’t been the incentive or political will to see anything through to real-world use. Plus, nascent initiatives to overhaul SSNs have historically been mired in political opposition to national, government-centralized IDs, because of privacy concerns and fear of federal overreach.
Finally, though, thanks to the staggering and deeply unfortunate scale of the Equifax breach, there is increasing interest in finding a replacement to protect consumers.
“I think it’s really clear there needs to be a change,” White House Cybersecurity Coordinator Rob Joyce said at the Cambridge Cyber Summit last week. “It’s a flawed system. If you think about it, every time we use the Social Security number you put it at risk.” Joyce added that a federal task force is examining possible replacements.
Out of Scope
For all their shortcomings, Social Security numbers are decent at doing what they’re supposed to do. Created in the 1930s by the budding Social Security Administration, the numbers were envisioned as identifiers for US workers so that the Administration could track their lifetime earnings. If they were introduced today—given the range of sensitive use cases they’ve adopted—they would merit protection by a second-authentication factor. But like internal employee ID numbers at corporations or customer record numbers at a plumbing company, SSNs were created to track one type of data. As the SSA says on its website: “The card was never intended to serve as a personal identification document.”
They’ve strayed from that original purpose. SSNs are used by countless industries and government agencies to connect a huge variety of information. They work both as identifiers to link people to their data, and as authenticators to prove that people are who they claim. And all of this relies on keeping those nine numbers (which are pretty guessable, by the way) totally secret, something that long been improbable and is now likely impossible, thanks to Equifax.
‘If you think about it, every time we use the Social Security number you put it at risk.’
White House Cybersecurity Coordinator Rob Joyce
For years, the Obama Administration encouraged the National Institute of Standards and other groups to investigate secure digital identity options through a program called the National Strategies for Trusted Identities in Cyberspace. The idea of NSTIC was to develop identifiers and authenticators that would raise the standard of trust between individuals, organizations, services, and devices engaging in sensitive digital transactions, like accessing medical records or filing taxes. The project had obvious potential implications for US identity systems, but wasn’t explicitly or expressly created to work on replacing Social Security numbers. NIST is also a non-regulatory body that develops technical standards as recommendations, not requirements.
“We’re not in the position to recommend a shift to a new system,” says Paul Grassi, a senior standards and technology advisor at NIST who worked on NSTIC and now its successor, the Trusted Identities Group. “It’s going to be a while until this problem is solved, but we built our latest guidelines under the assumption that your data is out there whether you like it or not. So it’s not just presenting that data and having it match a database anymore. The evidence presented has to be validated, and then there needs to be some sort of match to the person, whether that’s biometric or physical or something else.”
In pilot programs so far, government agencies like the Treasury and Department of Health and Human Services have worked to incorporate NIST’s digital identity recommendations. But real impact, experts say, would require far more sweeping measures.
There are numerous theoretical ways to replace Social Security numbers, but with actual momentum building to get something done, experts have converged around a few main concepts.
One approach involves making room for a diverse array of identifiers and authenticators, instead of looking for one single mechanism or solution. In this scenario, you might have a username, password, and physical authentication token (like a security card or a YubiKey) to tie your medical data to you as a person. You would have a different mix of tools for identifying and authenticating yourself to financial institutions. And you would have a third set to prove your identity to your cable company.
These authentication factors could be built on interoperable government standards that embrace a “self-sovereign” system, so consumers have more control over their personal security, rather than relying on Social Security numbers alone.
That sort of framework would help avoid the centralization makes privacy advocates anxious. The American Civil Liberties Union, for instance, views the current Social Security number system as a problematic overreach, because it ties so many disparate behaviors and interactions to a single identifier that can be tracked. More siloing and marketplace diversity would reduce this “eagle’s eye view of every activity,” as the ACLU’s Jay Stanley calls it, while improving security.
As a data clearinghouse like Equifax shows, though, some identity attributes need to be tied together in practice to keep track of things like credit history, and to interact with government agencies. Many experts advocate incorporating cryptographic tools and concepts like public-key protocols to ensure that identification systems are secure, while maximally protecting people’s data privacy. Parties in an identification and authentication exchange could each hold public and private cryptographic keys that an algorithm uses to generate a common key for use between you.
In this type of system, you might rely on biometrics, or keys issued by the government, for in-person verification with your bank. The bank could then issue you a cryptographic verifier—think password or biometric—for digital interactions and transactions that require authorization. That may sound unfeasible, but systems already exist in countries like Estonia and the Netherlands where consumers use validated codes or tokens to authorize transactions or authenticate themselves.
‘Identity is a hard problem, but it’s by no means an impossible problem. Plus, how imperfect is the current system? It’s entirely broken.’
Emin Gun Sirer, Cornell University
“The idea is to use ‘something that you are’ or ‘something that you have,’ coupled with something that the government gives you in order to derive your identity—that way no particular person, neither you nor the government, has sole access to that information,” says Nicholas Hayden, director of engineering at the threat intelligence firm Anomali and a cyber warfare officer for the US Air Force. “It’s a way of being able to mutually identify each other that is not 100 percent reliant on the US government.”
Some argue that to protect privacy and create a truly robust system, a Social Security number replacement would need to be built on the cryptographic concept of a “zero-knowledge proof,” a mathematical process for proving that a statement is true without any actual information about the assertion itself or its content. Systems would use zero-knowledge proofs to authenticate someone without knowing their identity.
“A fundamental right of a human being is to engage in unlinkable activities,” says Emin Gun Sirer, a distributed systems and cryptography researcher at Cornell University. “So if you build an identity registry system that is too powerful, you suddenly find yourself in situations where your activities are always linked. So an identity system should expose linkages where they must legally be exposed—like if I try to get a lot of credit at once. But I should also be able to break that linkage when it need not be there. If I need to prove how old I am to a service, I should be able to just issue them a proof without them knowing anything else about me.”
Make It Work
If it all sounds a bit complicated, you’re encountering the precise hurdle that has kept a Social Security number replacement from proliferating for decades. Rolling out a new digital identification and authentication framework across government, private institutions, and industry (particularly the sectors that have entrenched reliance on SSNs, like finance and healthcare) would be resource-intensive and inevitably rocky. And that doesn’t even begin to address the initial burden on the more than 300 million Social Security number holders in the US, may of whom don’t have reliable internet or computer access, who would need to invest time in the transition as well.
And even in light of the Equifax breach, which may have put half of the US population’s Social Security numbers at risk, some cryptographers warn that any new system would be dangerous in its own way, because building a new identity scheme on such an enormous scale would inevitably lead to implementation issues that would create new, and perhaps unforeseen, vulnerabilities.
For many, though, these potential downsides don’t outweigh the pressing need to replace Social Security numbers as identifiers and authenticators, given the additional security risks US consumers now face in light of the Equifax breach. And though federal initiatives are notoriously slow and accident-prone (the SSA itself only added two-factor authentication to its website in May), the private sector has some immediate options and power.
Third parties can make phasing out Social Security numbers easier by cutting back on collecting them in the first place, and implementing creative (and more secure) identification alternatives wherever possible. There’s a lot of low-hanging fruit. For example, even if credit checks still rely on Social Security numbers for years to come, companies could set up digital portals where consumers can easily request and deliver a credit report without ever sharing their SSN with the new institution. Or organizations could collect SSNs for temporary and specific use in an ephemeral way instead of storing them long-term.
“Yes, there are a lot of constraints,” Cornell’s Sirer says. “Identity is a hard problem, but it’s by no means an impossible problem. Plus, how imperfect is the current system? It’s entirely broken.”
Even privacy advocates, professionally skeptical of sweeping claims about identity overhauls, acknowledge the dire need to replace Social Security numbers quickly. “There is a clear need for individuals to be identified and authenticated and there are ways to do it that still preserve privacy,” says the ACLU’s Stanley, who participated in promoting privacy within NSTIC. “People use the Social Security number because they don’t have anything else. It’s ridiculous.”