Friday, January 26, 2007

Social security numbers as authenticators...

It troubles me when I see that inspite of all the noise about identity theft, nothing is being done to fix the basic broken element in the system: the use of social security numbers and other personal information like mother's maiden name to authenticate people. SSNs may have served a purpose as an interim solution for authentication until a "real" solution was found but they don't scale well.
They are like "pre-shared key" based authentication (actually much worse). It is well understood that pre-shared keys are fine for small scale use like your home wireless network and even then it is recommended that they be changed periodically. The case with SSNs is much worse: the same key is used as an authenticator over a person's whole lifetime and everywhere the person needs to authenticate himself: banks, rental leases, loans, employers... And it cannot be changed!

Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites

1 comment:

Anonymous said...
This is what the government doesn't know the difference between identification and authentication. If the writer of this chapter finds this page:
identification = who are you?
authentication = prove that you are who you claim to be.