Moving Beyond Social Security Numbers Part 1: Claiming Your Unique, Digital Identity
Americans feel more helpless than ever in the wake of the Equifax breach. With the sensitive personal information of 143 million people — more than half of all American adults — now available to criminals, there is little the average American can do to prevent their own identity from being hijacked and used against them. Even the FTC in its advice to consumers is lamely advising people to file their tax returns as fast as possible — essentially advising people to try to beat criminals to claim their own identity — in a race that millions of Americans are sure to lose.
Some are even calling for “killing” the social security number. Unfortunately, regulation that prohibits the use of the social security number would simply limit the options available to innovators to change the game. The social security number is still useful, albeit in a more limited role.
Think of your Name, Date of Birth, and Social Security Number as the unique street address to your digital identity. In combination, those data elements identify you as a single unique person. The question organizations face online, of course, is whether or not the user claiming that address — your identity — is you or a criminal.
Somewhere deep in the FTC’s advice about filing tax returns is a hidden truth: if you claim your digital address — your identity — before criminals do, then you can protect yourself. But every American cannot hope to beat criminals to every organization that delivers valuable services online: the IRS, Social Security Administration, SNAP, Medicare, Medicaid, PayPal, bank accounts, healthcare records, and so on.
The FTC needs to think bigger. Their advice should apply to the entire internet — register your identity with any one of a number of trusted and certified identity providers and then you can “lock down” the use of your identity by setting strong, two-factor authentication. Anyone who subsequently tries to use your identity to access entitlement benefits, file taxes, open a bank account, apply for healthcare, complete a payment, etc. will trigger a notification that is sent to the registered user to see if the transaction is legitimate.
In this model, criminals who attempt to claim your identity are told that the identity is already registered — please login to your account. If two-factor authentication is enabled, then the methods to login to your account are layered and highly resilient to account takeover attempts. It is much cheaper to buy someone’s static information online than to steal someone’s password and their phone or a security key. As a result, criminals who have your static personal identity information will not be able to claim your digital identity because once the identity is claimed, the only way to assert the identity online is to prove the ability to login to the account.
This approach leverages two distinct differences between legitimate owners of identities and criminals. If you open a bank account today, then three years from now your login with that bank will have accumulated much more trust than when it was first opened: tens of thousands of dollars of financial transactions, multiple registered devices, no reports of fraud. The bank can be very confident that the owner of that login is the legitimate owner of the asserted identity. Conversely, if a criminal opens a bank account in your name today, then they will conduct a very limited amount of business (they’re professionals, after all, who need to make a living) until they are able to defraud the bank. At that time, the account will be closed and the fraud will be noted.
When logins are portable across the internet, you, as the legitimate owner of your identity, will be able to securely and efficiently prove your identity across the web in a way that organizations are able to trust, with more and more confidence because they can see the trusted reputation associated with the login building. On the other hand, criminals, once booted off a hijacked address, will find that when the rightful owner of the address has claimed it and secured it with two-factor authentication, that they can no longer take over the identity with static information. This point is particularly important, because individuals who have been previous victims of identity theft will be at no higher risk of identity theft than any other person, once their identity is secured by strong authenticators like a password plus a biometric like fingerprint or face login.
The answer to the Equifax breach isn’t to kill the social security number. The answer is for websites to recognize federated logins for sign-up and sign-in the same way that Visa allows merchants to recognize credit and debit cards for transactions from many different banks in a standardized way. Banks, telecoms, and technology companies can and should become digital DMVs that ensure that once an identity is claimed online — once a legal credential has been issued to a single user — the identity can then be claimed only by a user who demonstrates the ability to produce the digital credential, i.e. two-factor authentication.
Imagine a world where, once you claimed your identity online, you would receive a notification by text every time someone tried to file your taxes, or open a bank account, or apply for health care in your name. And all you had to do to stop the false transaction was type “N”, text it back to your digital DMV provider, and get on with your day knowing you are in full control of your own identity.
Read Part 4: Data minimization and consent by design
ID.me is the next-generation digital identity platform that provides for trusted and convenient interactions between individuals and organizations. Government agencies and commercial partners use ID.me for online identity proofing and authentication to ensure their platforms and users are protected from fraud and identity theft. All media inquiries can reach Laura Cruz at email@example.com