Time for Biometric ID

I agree with at least one component of Daniel Castro’s remarks at RealClearPolicy on the data breach at Equifax. It’s time, long past time actually, to abandon the Social Security number system:

We should replace the outdated, paper-based system of Social Security numbers with a secure identity system built for the digital era. To accomplish this, Congress must significantly expand the National Strategy for Trusted Identities in Cyberspace, an initiative led by the Department of Commerce to create secure electronic IDs that can be used both commercially and in government.

These electronic IDs would allow individuals to prove their identities (or attributes about their identities) securely to other systems — a complete replacement of the 80-year-old SSN for the digital era. Individuals could use these electronic IDs for a variety of purposes, from applying for credit and signing legal documents to verifying they are over the age of 21 when ordering wine online. The State Department, which already has systems and processes in place to verify the identity of individuals who apply for passports, could issue these electronic IDs. The IDs themselves could be either physical or digital artifacts, such as a smartcard or digital certificate installed in a mobile app.

The Social Security number system was devised when in all likelihood the system was administered with ledger cards. There was a ledger card for each individual enrolled in the system. In all likelihood each transaction was handwritten in—IIRC the ledger card machine which could imprint ledger cards wasn’t available until 1958.

There were far, far fewer of them, too. I believe the entire cache of old Social Security ledger cards are sitting around somewhere in 500 boxes.

Some form of biometric ID should be adopted. Not only would that make the system more secure it would make fraud a lot more expensive if not impossible.

Most OECD countries other than the Anglosphere countries, Denmark, and Norway have national ID cards, many of them are compulsory, and an increasing number are biometric IDs. It’s an idea whose time came a long time ago.

Update

About 35 years ago I advised a client not to use Social Security numbers as the primary ID for individuals in their computer systems on the grounds that it was insecure and likely to be banned. That’s exactly what has happened in many states but I wouldn’t be a bit surprised if there were still a lot of systems out there which use SSNs as primary IDs.

2 comments… add one
  • Andy Link

    Personally I’m skeptical of biometrics as they can be faked and stolen and can be unreliable as biological traits change over time.

    I think something along the lines of a modernized DoD Common access Card is a potential solution. Identities are established with two-factor authentication using public key encryption.

    More than that, though, I think companies which collect and hold personal information should be held criminally and civilly liable for protecting it.

  • DaleB Link

    Biometric identity is not a cure-all. An iris scan, retina scan, fingerprint, face scan, or any other form of identification is, when implemented in a computerized verification system, is just a number or an array of numbers. These are probably more secure than other forms of identification but if they are stored in a system that can be cracked by zero day vulnerabilities or human engineering or any of the other tricks that the bad guys use, they can still be stolen.

Leave a Comment