Recent breaches reaffirm it’s time to modernize the Social Security Number

The Social Security Number (SSN) is the U.S. de facto national identifier, linking records held by public and private entities to a single individual. More than 453 million SSNs have been issued. This nine-digit number has become the core credential for government and commercial purposes. The United States never intended the SSN to serve as an identifier, but it is firmly embedded into the fabric of American commerce. Modernizing the SSN to become a secure and trusted digital credential would go a long way toward solving the basic problem of securely verifying and authenticating an individual’s identity online. 

Created in 1935, the SSN has become both an identifier and an authenticator; banks use it before lending you money, retailers use it to enroll you in special programs, schools use it to issue you an ID, and employers use it to verify your eligibility to work (the only one of these uses for which it actually was intended). Cyber criminals love the SSN, thanks to how easy it has been for them to steal — evidenced by recent breaches that have exposed SSNs.

Stolen Social Security Numbers are a powerful tool for committing fraud and identity theft. Online black markets make it easy for thieves to sell and exploit SSNs, which can be purchased for as little as $1 per number. In 2017, the Equifax breach resulted in 145 million SSNs being stolen — representing nearly 45 percent of U.S. citizens. It is almost impossible to replace stolen numbers, and an identity system that uses the same credential for identification, authentication and authorization is inherently vulnerable. We can’t afford to replace the SSN and start over. 

Instead, we should look to improve the SSN and make it a secure foundation for digital credentials. Moving to a modern system will take time, and there are mitigations that should be used in the interim, such as allowing for replacement if a number is compromised while a new system is developed and deployed. 

We can start by eliminating the practice of using the SSN for authentication or direct authorization, but continue to leverage the SSN as an identifier. An individual should be able to prove their identity to someone, but not make it such that when proving their identity, they’re giving the other party the ability to impersonate them. If we continue to rely on private pieces of information to prove our identity, we will continue to have those pieces of information stolen and misused. A useful piece of data that is only an identifier does not pose a security risk even if it is widely known but never used for authentication. 

Modernization should replace the SSN with a digital credential that relies on online processes for verification and allows for the adoption of new technologies. Regardless of the technologies used, four principles should guide SSN modernization. A new system should: 

• Preserve the SSNs ability to link multiple records to the same individual; 

• Allow for replacement when an SSN has been compromised;

• Minimize costs (including transition costs) and complexity for taxpayers; and

• Take advantage of advances in technologies for data storage, processing and connectivity to replace the paper cards we now use.  

The United States has tried many times in the past 20 years to improve digital authentication of identity, but these efforts did not succeed. SSN modernization offers us another chance. At the end of last year’s Congress, now-retired Rep. Sam Johnson (R-Texas), a champion of modernizing the SSN, introduced a bill to halt the issuance of paper SSN cards within five years, replace all existing cards within 10 years and require the Government Accountability Office to conduct a full study of federal uses of the SSN and the associated authorities requiring those uses at the start of every new Congress. 

We need a similar bill introduced during this Congress. The time for modernization is now. 

Steve Grobman is senior vice president and chief technology officer for McAfee. In this role, he sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide.

James Andrew Lewis is a senior vice president at the Center for Strategic and International Studies (CSIS) and director of the Technology Policy Program. He previously worked at the departments of State and Commerce.