Skip to main content
Microsoft Security

SSN for authentication is all wrong

Unless you were stranded on a deserted island or participating in a zen digital fast chances are you’ve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didn’t misuse our social security numbers, losing them wouldn’t be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that I’ve met in my travels, don’t understand the difference between identification and verification. In the real world, conflating those two points doesn’t often have dire consequences. In the digital world, it’s a huge mistake that can lead to severe impacts.

Isn’t it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason it’s so hard for many of us to separate identification and verification is that historically we haven’t had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.

The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial driver’s license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.

The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.

Who are you? Prove it!

This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.

Do you want your name to be private? Imagine meeting another parent at your kid’s soccer game and refusing to tell them your name for “security reasons.” How about: “Oh your new puppy is so adorable, what’s her name?” And you respond, “If I told you, I’d have to kill you.” Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.

We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, you’d still have a heck of a time finding the right address wouldn’t you?

Now that we’re clear on what the identifier is, we can enumerate a few aspects that make up a really good one:

In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky – how do you verify someone or something you’ve never met before? Ask them to- Prove It!

We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because it’s very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able to provide verification of who we are to a number of entities, many of whom aren’t great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? It’s: xja*21njaJK)`jjAQ^. At this point in time our father’s middle name, first pet’s name, town where we were born, school we went to and address history should be assumed public, using them as “secrets” for verification doesn’t make sense anymore.

If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldn’t change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?

So, with that in mind, you’d probably agree that the best digital verifiers are:

Your turn

OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think – Is your SSN a better identifier or verifier?