Re: Bare Social Social Security Numbers

[Jere Retzer <retzerj () OHSU EDU>]

There are lots of possibilities. Use, for example a multi-step process to register folks and assign a user id. They 
register with an e-mail which you send a code for example, commonly used for commercial appplications. 
 
There is work going on now on exchanging electronic health records aimed toward the eventual creation of a national 
capability that does not use global identifiers of any sort. Rather, the participating systems identify/retrieve health 
records by matching demographics.

> > > nick.pullman () CITIGROUP COM 03/28/06 1:20 PM >>>

I agree that the use of an identifier as authentication is flawed, but unfortunately what other solution is there?  
Biometrics are not anywhere near mature enough for a large-scale implementation, and even if they were, how do you 
"register" individuals if the other forms of authentication are not reliable; i.e. SSN.

-----Original Message-----
From: Kevin Shalla [mailto:kshalla () UIC EDU]
Sent: Tuesday, March 28, 2006 1:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Bare Social Social Security Numbers

This sounds like the perfect solution.  I think it's only a matter of
time before the use of an identifier as authentication becomes
ridiculous not only to security people, but also to financial institutions.

At 11:52 AM 3/28/2006, Gary Flynn wrote:
> I vote we make all SSN and names public knowledge so they'll
> be worthless as a basis on which to make a decision. Then,
> when companies, governments, and organizations can no longer
> use them as authenticators, they become worthless. ;)