Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bare Social Social Security Numbers

From: scott hollatz <shollatz () D UMN EDU>
Date: Tue, 28 Mar 2006 15:41:13 -0600
I agree that the use of an identifier as authentication is flawed, but unfortunately what other solution is there?  Biometrics 
are not anywhere near mature enough for a large-scale implementation, and even if they were, how do you "register" 
individuals if the other forms of authentication are not reliable; i.e. SSN.


But, by definition, authentication is the binding of an identifier
to an entity.  This is even true in zero-knowledge or witness-hiding
authentication mechanisms.


This sounds like the perfect solution.  I think it's only a matter of
time before the use of an identifier as authentication becomes
ridiculous not only to security people, but also to financial institutions.

At 11:52 AM 3/28/2006, Gary Flynn wrote:

I vote we make all SSN and names public knowledge so they'll
be worthless as a basis on which to make a decision. Then,
when companies, governments, and organizations can no longer
use them as authenticators, they become worthless. ;)


--
scott hollatz                                        net shollatz () d UMn eDu
information technology systems and services          tel +1 218 726 8851
university of minnesota duluth mn usa                fax +1 218 726 7674
                                                                         --
                                              "Asn aD ta zlAp em uT zt33rg"
Previous By Date Next
Previous By Thread Next

Current thread: