How do we know it’s really you reading this article right now and not someone posing as you?
Honestly, who cares.
Tell us you are Justin Bieber or Kim Kardashian if you want to.
And then keep reading.
But when you go to open a new credit card, add a bank account, or take out a loan, we all depend on the fact you are, actually, you.
You must be authenticated because our systems of commerce and governance are built on this very foundation of authentication.
Social Security Number was the gold standard for authentication
For decades, your Social Security Number was the gold standard of authentication.
You gave your Social Security Number to your bank. Your wealth became uniquely yours. You gave it to an investing house. Your 401(k) became uniquely yours.
Your taxes, your medical records, your credit cards, they are yours because your SSN and a few other pieces of information have made it so.
Your Social Security Number has been like a bridge between your actual human self and the rest of the digitized world. Now, however, it's a "bridge" that is crumbling and may be about to crash into the river below while you are standing on it.
Stanford CISO says Social Security Number is no longer a secret
We met Stanford University’s Chief Information Security Officer Michael Duff a few steps from Levi’s Stadium, home of the San Francisco 49ers.
He was speaking at SecureWorld Bay Area, our annual cybersecurity conference in Santa Clara. He told us that the Social Security Number is ancient history when it comes to proving who you are.
“A fundamental idea is that a secret that is known by everyone is no longer a secret,” he says. Watch his interview on how widely known your Social Security Number has become.
Identifiers vs. Authenticators
Duff says information like our Social Security Number is still able to identify us. That is, one SSN is assigned to one living person in the U.S.; it is assigned to us.
But because it’s become so widely known and in many cases compromised or hacked, others can have it and use it. So it no longer should be considered something that authenticates the person typing it into the keyboard to open the account.
Moving past the Social Security Number to prove who you are
So how do we move past the Social Security Number to authenticate who we are? In the next video, Michael Duff has ideas on what should replace the Social Security Number.
Ideal ID Framework is scalable and decentralized
Duff says “public key cryptography” would allow those on both sides of a digital connection to verify they are for real without ever revealing the "secret" the two sides are sharing. Certified digital keys will provide the guarantee, but those keys must be carefully protected.
“An idealized ID framework will be easy to use and universal or large scale for a nation or the globe. And there is no centralized trust,” he says.
“Anytime you introduce a single point of trust, it falls apart. There's a good chance that point of trust will be compromised. And who do you trust? Do you trust the government, do you trust a company?"
So, is this the right alternative to the Social Security Number as something that proves you, are in fact, you?
Judging from the questions and comments at the end of Michael Duff’s session at the SecureWorld conference, it’s clear there will be a lively debate about what is next.
One this is for certain, though.
The chorus is growing louder that your Social Security Number is not what it used to be.
Even though the numbers themselves are exactly the same.
