It’s in the news today that the US government is looking into phasing out the use of Social Security Numbers for identification. This is after the massive Equifax security breach in which the data including Social Security Numbers of over 150 million Americans have been stolen. For any company or organization to require or even use a Social Security Number for clients or customers at this point is almost criminally negligent.
But this makes one think: What other form of identification can be used? What is the fundamental problem that the use of identification attempts to address in the first place, and is there any truly good, reliable, or secure way to implement a solution?
I was thinking for example of the use of biometrics such as fingerprints for ID. In fact my Thinkpad laptops and my Samsung Note phone all use fingerprints.
But let’s say that there’s a way for you to swipe your finger on a fingerprint reader on your phone and have it authenticate you for some service. The company or organization doing the authentication then has to have a record of your fingerprint, or else it has to trust that some intermediary, such as software on your computer, has successfully authenticated you via biometric authentication.
But all of this is also vulnerable. For example if a company was storing fingerprint data for millions of customers that data could also be stolen. A criminal could fake the authentication process and send what appears to be a valid authentication token to an organization.
Basically things can still be faked and/or stolen. So it’s an interesting problem because you still haven’t gotten around some of the issues that are happening now.
So how do you do it? What could be considered an acceptable form of identification or authorization that is practical, easy to implement, and simple to use?
We have this issue in society where different entities need to establish that someone is who they claim to be. But no matter what mechanisms are used to do so, they can be cheated in different ways, and the data can be stolen, whether it happens to be a 9 digit number, a fingerprint imprint, the scan of an iris, etc.
We also have another interesting issue is that we only want to have authentication for certain things, but for others we don’t want it. We value our freedom and our right to remain anonymous, so whatever technology we use to provide authentication has to be designed with certain limits as well.
There will have to be some acceptance of what is a reasonably satisfactory level of authentication and also ways to deal with what happens when it fails for any reason.
All systems are only as good as how they fail, and such a system will have to be well-designed with failure in mind.
Leave a Reply
You must be logged in to post a comment.