{"id":74725,"date":"2017-10-23T12:00:38","date_gmt":"2017-10-23T19:00:38","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=74725"},"modified":"2023-05-26T14:25:05","modified_gmt":"2023-05-26T21:25:05","slug":"ssn-for-authentication-is-all-wrong","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/10\/23\/ssn-for-authentication-is-all-wrong\/","title":{"rendered":"SSN for authentication is all wrong"},"content":{"rendered":"
Unless you were stranded on a deserted island or participating in a zen digital fast chances are you\u2019ve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didn\u2019t misuse our social security numbers, losing them wouldn\u2019t be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that I\u2019ve met in my travels, don\u2019t understand the difference between identification and verification. In the real world, conflating those two points doesn\u2019t often have dire consequences. In the digital world, it\u2019s a huge mistake that can lead to severe impacts.<\/p>\n
Isn\u2019t it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason it\u2019s so hard for many of us to separate identification and verification is that historically we haven\u2019t had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.<\/p>\n
The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial driver\u2019s license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.<\/p>\n
The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.<\/p>\n
This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.<\/p>\n
Do you want your name to be private? Imagine meeting another parent at your kid\u2019s soccer game and refusing to tell them your name for \u201csecurity reasons.\u201d How about: \u201cOh your new puppy is so adorable, what\u2019s her name?\u201d And you respond, \u201cIf I told you, I\u2019d have to kill you.\u201d Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.<\/p>\n
We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, you\u2019d still have a heck of a time finding the right address wouldn\u2019t you?<\/p>\n
Now that we\u2019re clear on what the identifier is, we can enumerate a few aspects that make up a really good one:<\/p>\n
In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky \u2013 how do you verify someone or something you\u2019ve never met before? Ask them to- Prove It!<\/p>\n
We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because it\u2019s very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able to\u00a0provide verification of who we are to a number of entities, many of whom aren\u2019t great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website\/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? It\u2019s: xja*21njaJK)`jjAQ^. At this point in time our father\u2019s middle name, first pet\u2019s name, town where we were born, school we went to and address history should be assumed public, using them as \u201csecrets\u201d for verification doesn\u2019t make sense anymore.<\/p>\n
If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldn\u2019t change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?<\/p>\n
So, with that in mind, you\u2019d probably agree that the best digital verifiers are:<\/p>\n
OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think – Is your SSN a better identifier or verifier?<\/p>\n","protected":false},"excerpt":{"rendered":"
Unless you were stranded on a deserted island or participating in a zen digital fast chances are you\u2019ve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didn\u2019t misuse our social security numbers, […]<\/p>\n","protected":false},"author":61,"featured_media":74743,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3669,3678,3680],"products":[],"threat-intelligence":[],"tags":[3822,3809],"coauthors":[1916],"class_list":["post-74725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-data-protection","topic-multifactor-authentication","topic-privacy","tag-microsoft-security-insights","tag-security-strategies"],"yoast_head":"\n