An Identifier is not an Authenticator

Not too long ago, the House Ways and Means committee learned about and understood the difference between Identifiers (such as the PAN SSN, Driver License number, Email, User name, or account number) and an Authenticator.

A recent document produced by the Identity Coalition speaks to the challenge of identity. Found on their website https://www.betteridentity.org/

One paragraph reads

As a general rule, to be useful across multiple systems a widely used identifier must be persistent, meaning that it stays constant over time. The complexities induced by shifting an identifier to one that is not  persistent – but revocable – are significant.

This is a pivotal thought and one we should embed in our thinking.

This report starts with a discussion about who can play a role and who has established coherent verification and proofing mechanisms that can be used as a root of trust.  The Social Security number, given its pervasive place among the data stored about us, became an area of focus:

There are five steps that the government should take to change – and improve – the way we treat the SSN.

  1. Frame every proposal about the future of the SSN on the basis of whether it looks to impact the use of the SSN as an authenticator, an identifier, or both.
  2. Stop using the SSN as an authenticator. Use of the SSN as an authenticator rests on the idea that the SSN is a “secret” – and that knowledge of an SSN can thus be used to prove that someone is who they claim to be.
  3. Preserve use of the SSN as an identifier – but look to reduce its use wherever feasible.
  4. Consider changing laws and regulations that require companies to collect and retain SSN.
  5. The government should not seek to replace the SSN.

As I read through these choices, I replace the acronym SSN with PAN or any other identifier and I end up with the same concern.  We have allowed identifiers to become authenticators and now struggle to replace them with something else (i.e., a token).  When what we should have done is recognized that authentication was the missing element of the identity puzzle.

The report then continues with a set of recommendations including two areas of personal interest.

Strong Authentication Equals Multi-Factor Authentication

Promote and prioritize the use of strong authentication. Inherent in any policy change that prohibits use of the SSN as an authenticator is a way to replace it with something better. Here, the problem is not just with SSNs, but also with passwords and other “shared secrets” that are easily compromised by adversaries.

Multi-stakeholder efforts like the Fast Identity Online (FIDO) Alliance, the World Wide Web Consortium (W3C), and the GSMA have developed standards for next-generation authentication that are now being embedded in most devices, operating systems and browsers, in a way that enhances security, privacy and user experience.

International Coordination and Harmonization.

This one has particular meaning to me.  My family lives in two countries, we are citizens of a third and we have lived in four.  I want to be assured that whatever the process is to authenticate our identities in one will meet the basic requirements of all.

An interesting read and one I strongly recommend we work to promote.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.