Fingerprints and SSN numbers are usernames, not passwords
As Equifax reveals the Social Security Numbers of almost half of the US population may have been compromised, it’s worth reconsidering what we use SSN numbers for.
When I moved to the US a couple of years ago, it was immediately imprinted in me that I had to keep my Social Security Number (SSN) secret and hidden. When I started opening a bank account and set up a cell phone plan, it became obvious why.
Imagine your email has been hacked, but that your email provider tells you that you can’t change your password.
A typical customer support call would go a little bit like this:
“Hi Mr Kamps. What are the last 4 digits of your Social, pease?”
I’d tell them. And that’d be that — I’d be authenticated. Your name (and sometimes your birthdate) acts as your user name. Your SSN — or at least its last four digits — acts as your password.
There’s a huge and obvious problem here: That type of security relies on your SSN remaining secret. If your SSN leaks just once, you’re boned. It’s not possible to change your social security number. The problem with that is obvious: Relying on keeping an unchangeable piece of information secret is really bloody stupid.
The corollary is this: Imagine that your email has been hacked, but that your email provider tells you that you can’t change your password. That’s the situation we currently have with Social Security Numbers.
In Norway, you’re issued a “personnummer”. In Holland, you have a “SoFi nummer”. In the UK, you have a National Insurance Number. These numbers are all used to identify you for tax purposes, much like the SSN. There’s a huge difference, however: It is never assumed that this number is secret. You log in to your bank accounts with it. You freely tell your employers what it is. You may not want to tattoo it on your forehead, but that’s more a matter of taste (forehead tattoos aren’t my thing) — from a security point of view, there’s no particular reason why you shouldn’t.
The difference is huge: In most of the rest of the world, your SSN-equivalent is treated as a unique identifier. In other words: It is your unique username. In addition to your user name, you’ll need a password to deal with anything.
It’s not just social security numbers either. Fingerprints, iris scans, and other unchangeable pieces of information are fantastic as part of your security trifecta — but not as passwords.
What does good security look like?
Proper authentication for high-risk applications (your email, your bank, entrance into your evil super-villain lair with launch buttons for nuclear weapons etc) should ideally take a multi-prong approach:
- Something to identify you (this is often public information. An email address, or your name. This isn’t part of ‘security’ as such.)
- Something you know (a password or passphrase that lives inside your brain)
- Something you have (a key fob / token generator / a message sent to your phone)
- Something you are (a finger print or iris scan)
Most security systems don’t bother, and instead rely on one or two of the above.
Your email might settle with two pieces of information you know (username + password) and something you have (an authenticator app and SMS message).
An ATM will accept something you have (your card) and something you know (a PIN).
Which of the above approaches are appropriate depends on the cost/benefit analysis of the risk level. Do you care if someone steals your Twitter account? If you don’t, don’t worry about two-factor authentication.
Do you care if someone breaks into your bank account and steals all your money? If you don’t, just a username and password is fine. (Sadly, that’s often all you get… Which is, frankly, ridiculous).
Your phone might rely on something you have (the phone itself) and something you are (your fingerprint). That might be OK if you always have your phone within arm’s length, but obviously as soon as you lose your phone, or it’s stolen, you lose one of the factors of security. Again; it’s a cost/benefit analysis. I’ve decided that given that I unlock my phone hundreds of times per day, it’s worth the risk. If you keep secret data on your phone — you may wish to choose another approach.
Don’t use your username as your password.
Under no circumstances should you rely on only public information. For example “what is your mother’s maiden name” is a terrible security question. In the world of Facebook, it takes all of 20 seconds to discover who your family members are, and in many cases, your mother’s maiden name is easy to track down.
In a way, perhaps the Equifax hack is a good thing: We should never have been assuming that we were able to keep Social Security Numbers secret. Now we have the proof, and need to start designing security solutions that reflect that SSNs are public pieces of information — much like your name, birthdate, and your mother’s maiden name.