|
|[October 10, 2018]
|
New Report Evaluates Approaches to Modernizing Social Security Numbers
McAfee (News - Alert), in partnership with the Center for Strategic and International
Studies (CSIS), today released "Modernizing
the Social Security Number: A Foundation for Online Authentication,"
a report addressing the growing privacy and security concerns of using
the Social Security Number (SSN) as the de facto personal identifier in
the United States. Rather than developing an entirely new identifier at
this time, the report authors identify smart cards as the most viable
approach to modernizing the SSN, solving the immediate needs of the U.S.
Social Security Administration while also creating a trusted foundation
for future digital identity initiatives in both the public and private
sectors.
U.S. institutions have increasingly relied upon the SSN as a personal
identifier both online and offline, making it difficult to easily
replace it with a digital age alternative. Yet the SSN is easily stolen
and misused, and it is hardly ever reissued once it is stolen. Recent
consumer data breaches demonstrate that the SSN is an appealing target
for cybercriminals; they are stolen for a variety of fraudulent
activities or sold in bulk on the cybercrime black market. This has
resulted in major privacy and security vulnerabilities for Americans,
with some estimates saying that between 60 percent and 80 percent of all
SSNs have been stolen.
"We have long known that the SSN was never meant to serve as a personal
identifier, and its use as such has inadvertently rendered millions of
Americans susceptible to identity theft and continued abuses of
privacy," said Candace Worley (News - Alert), Chief Technical Strategist at McAfee.
"These problems need to be solved with a solution powered by a digital
credential for online authentication, but backed and validated by the
trusted authority of the U.S. government."
Challenges to Modernization
The report authors examine various national efforts to update the SSN
and draw three lessons from these past efforts:
-
Complicated technologies that do not fit with commercial practices
will not be adopted
-
Commercial credentials will be trusted only if they are firmly linked
to a government-issued credential
-
A small but influential segment of the population fears strong
authentication and a national ID system on privacy grounds
"I've participated in several initiatives throughout the years to
replace the SSN and create a national identifier, and all of them have
fallen flatfor one reason or another," said James Lewis, senior vice
president at CSIS. "As a first step, we propose rebuilding the SSN as
the foundation for online authentication of identity, creating a path
for the private sector to develop authentication apps that are anchored
in a modernized, digital SSN."
Based on their analysis, the authors detail the problems facing any
effort to build a more secure and trustworthy online environment:
-
The processes by which identity is established and credentials issued
are weak or erratic
-
Meshing paper-based processes to a digital environment (and to digital
credentials) has proven to be beyond the scope of private-sector
activity and will not occur in the government absent legislative
direction and funding
-
The lack of technical interoperability and common rules frameworks
undermine digital credentials' abilities to work across different
networks, where entities may not trust credentials from other networks
-
Networks may not trust credentials issued by other networks given a
lack of technical interoperability and common rules frameworks,
undermining the ability of these credentials to work across different
organizations and industries.
They identify four core principles necessary to successfully
implementing a new SSN solution:
-
It must preserve the SSN's ability to link multiple records to the
same individual
-
It should allow for easy replacement when an SSN has been compromised
-
It should be a first step towards stronger online authentication in
the U.S. and take advantage of advances in technologies for data
storage, processing, and connectivity
-
It should be done in a way that minimizes costs (including transition
costs) and complexity for taxpayers.
Technology Options
The report evaluates a number of technical options for modernizing the
SSN, including blockchain, mobile apps using sensors, biometric
identifiers, federated identity and public key infrastructure (PKI).
This analysis led the authors to recommend smart cards as the best path
towards the objective. They cite the following reasons:
-
The extensive experience with smart cards could minimize
implementation problems and maximize public acceptance
-
Smart cards would allow an incremental approach to SSN modernization,
which could help avoid potential pitfalls that have hampered previous
U.S. efforts on authentication of identity
-
The database infrastructure to support smart cards already exists,
with the Social Security Administration (SSA), a trusted issuer,
already having verifications systems in place
Worley continued: "The report provides a wide-ranging review of what has
and hasn't worked in past efforts to establish national digital identity
frameworks, and nicely frames the role government can play to address an
immediate technical need while also opening the way for private sector
innovation. The smart card is one example of a technology with the
potential to enhance citizens' security and privacy today, while also
becoming the trusted platform upon which the private sector can build
the identity solutions of tomorrow."
For more information and analysis on the report's findings, please see
the full
report, related
commentary, and a livestream
discussion of this topic at a CSIS event today.
About McAfee
McAfee
is the device-to-cloud cybersecurity company. Inspired by the power of
working together, McAfee creates business and consumer solutions that
make our world a safer place. www.mcafee.com
The features and benefits of McAfee technologies depend on system
configuration and may require enabled hardware, software, or service
activation. No computer system can be absolutely secure.
View source version on businesswire.com: https://www.businesswire.com/news/home/20181010005040/en/
[ Back To TMCnet.com's Homepage ]