McAfee, in partnership with the Center for Strategic and International Studies (CSIS), today released Modernizing the Social Security Number: A Foundation for Online Authentication, a report addressing the growing privacy and security concerns of using the Social Security Number (SSN) as the de facto personal identifier in the United States. Rather than developing an entirely new identifier at this time, the report authors identify smart cards as the most viable approach to modernizing the SSN, solving the immediate needs of the U.S. Social Security Administration while also creating a trusted foundation for future digital identity initiatives in both the public and private sectors.
U.S. institutions have increasingly relied upon the SSN as a personal identifier both online and offline, making it difficult to easily replace it with a digital age alternative. Yet the SSN is easily stolen and misused, and it is hardly ever reissued once it is stolen. Recent consumer data breaches demonstrate that the SSN is an appealing target for cybercriminals; they are stolen for a variety of fraudulent activities or sold in bulk on the cybercrime black market. This has resulted in major privacy and security vulnerabilities for Americans, with some estimates saying that between 60 percent and 80 percent of all SSNs have been stolen.
We have long known that the SSN was never meant to serve as a personal identifier, and its use as such has inadvertently rendered millions of Americans susceptible to identity theft and continued abuses of privacy, said Candace Worley, Chief Technical Strategist at McAfee. These problems need to be solved with a solution powered by a digital credential for online authentication, but backed and validated by the trusted authority of the U.S. government.
Challenges to Modernization
The report authors examine various national efforts to update the SSN and draw three lessons from these past efforts:
- Complicated technologies that do not fit with commercial practices will not be adopted
- Commercial credentials will be trusted only if they are firmly linked to a government-issued credential
- A small but influential segment of the population fears strong authentication and a national ID system on privacy grounds
Ive participated in several initiatives throughout the years to replace the SSN and create a national identifier, and all of them have fallen flat for one reason or another, said James Lewis, senior vice president at CSIS. As a first step, we propose rebuilding the SSN as the foundation for online authentication of identity, creating a path for the private sector to develop authentication apps that are anchored in a modernized, digital SSN.
Based on their analysis, the authors detail the problems facing any effort to build a more secure and trustworthy online environment:
- The processes by which identity is established and credentials issued are weak or erratic
- Meshing paper-based processes to a digital environment (and to digital credentials) has proven to be beyond the scope of private-sector activity and will not occur in the government absent legislative direction and funding
- The lack of technical interoperability and common rules frameworks undermine digital credentials abilities to work across different networks, where entities may not trust credentials from other networks
- Networks may not trust credentials issued by other networks given a lack of technical interoperability and common rules frameworks, undermining the ability of these credentials to work across different organizations and industries.
They identify four core principles necessary to successfully implementing a new SSN solution:
- It must preserve the SSNs ability to link multiple records to the same individual
- It should allow for easy replacement when an SSN has been compromised
- It should be a first step towards stronger online authentication in the U.S. and take advantage of advances in technologies for data storage, processing, and connectivity
- It should be done in a way that minimizes costs (including transition costs) and complexity for taxpayers.
The report evaluates a number of technical options for modernizing the SSN, including blockchain, mobile apps using sensors, biometric identifiers, federated identity and public key infrastructure (PKI). This analysis led the authors to recommend smart cards as the best path towards the objective. They cite the following reasons:
- The extensive experience with smart cards could minimize implementation problems and maximize public acceptance
- Smart cards would allow an incremental approach to SSN modernization, which could help avoid potential pitfalls that have hampered previous U.S. efforts on authentication of identity
- The database infrastructure to support smart cards already exists, with the Social Security Administration (SSA), a trusted issuer, already having verifications systems in place
Worley continued: The report provides a wide-ranging review of what has and hasnt worked in past efforts to establish national digital identity frameworks, and nicely frames the role government can play to address an immediate technical need while also opening the way for private sector innovation. The smart card is one example of a technology with the potential to enhance citizens security and privacy today, while also becoming the trusted platform upon which the private sector can build the identity solutions of tomorrow.
The features and benefits of McAfee technologies depend on system configuration and may require enabled hardware, software, or service activation. No computer system can be absolutely secure.