Five Key Initiatives

The promise of better identity is exciting. Finding new solutions could not only address concerns with security and fraud, but also improve privacy and make it possible to offer new types of trusted services to a wider swath of Americans online.

Let’s take a closer look at our five key initiatives for policymakers:

The current state: It’s clear from recent data breaches that adversaries have caught up with the systems that America uses to protect and validate online identities.

Many of these systems were developed to fill the “identity gap” that’s been caused by the lack of any formal national identity system. For example, a knowledge-based verification (KBV) system attempts to verify identity online by asking an applicant several questions that, in theory, only he or she should be able to answer. But adversaries, through multiple breaches, have now obtained enough data to defeat many KBV systems.

Where we need to go: While the United States does not have a national ID, our government does have a number of authoritative identity systems. The problem is that these systems are largely stuck in a paper world (think driver’s licenses and Social Security cards); none can be easily used — or validated — online.

The government should find a way to modernize its identity systems so that consumers can ask entities such as the Social Security Administration (SSA) and departments of motor vehicles to validate their credentials in the online world — and do it in a way that protects privacy and guards against identity theft.

How we can get there: There are four steps that the government can take to improve identity proofing and verification:

• Offer new digital services to validate personal attributes. The single best way to address the weaknesses of KBV and other first-generation identity verification tools is to fill the “identity gap” that led to their creation. On the federal level, the Social Security Administration (SSA), and on the state level, agencies that issue driver’s licenses and identity cards are in the best position to offer new identity services to consumers.

  • SSA should allow consumers who are opening an account with an organization to electronically request validation that the name, Social Security number and date of birth they are providing match the data on file at SSA.

  • State departments of motor vehicles should allow consumers who are opening an account with an organization to electronically request validation that the information (name, date of birth, address, driver’s license number) they are providing matches the data on file in the state that issued their driver’s license.

  • State departments of motor vehicles should offer consumer-facing services through new “mobile driver’s license” apps that allow consumers to easily use their physical driver’s license to confirm their identity in the mobile world.
    

• Offer grants to assist states in their migration to becoming digital identity providers. A five-year federal grant program would provide states with the seed money needed to invest their own resources in modernizing departments of motor vehicles and other identity infrastructures.

• Develop a forward-looking investment strategy for research and development of identity tools and standards.

• Address policy and regulatory barriers that inhibit private sector entities from modernizing identity systems — and create incentives that promote the adoption of innovations.

The current state: The national discussion about identity systems has shone a spotlight on how best to use the Social Security number (SSN). This credential was created in the 1930s as an identifier — something that helps set you apart from other people with the same name. Today, other common identifiers include your phone number, your email address or your Twitter handle.

Over time, public and private sector entities began using the SSN as an “authenticator.” Authenticators, such as passwords or biometric information, help determine whether the person claiming to be you is actually you. Unlike identifiers, authenticators are generated by the individual and not widely known.

After years of massive data breaches, millions of Social Security numbers have now been stolen, diminishing their value as an authenticator.

Where we need to go: Moving forward, both government and industry should stop using the Social Security number as an authenticator. Organizations should use it just as an identifier — while looking to reduce its use wherever feasible. When you call your bank or credit card company, for example, no one should ask you for the last four digits of your SSN to confirm your identity. This is no longer a secure, reliable method of authenticating identities.

How we can get there: The president should issue an executive order that precludes federal agencies from using the SSN for authentication. This approach would improve the federal government’s data security and send a strong signal to private sector entities that they should migrate to more secure authentication solutions.

Where feasible, companies and all levels of government should reduce their use of the SSN as an identifier — and find ways to protect it better when it is still used. Many members of the Better Identity Coalition believe that using the SSN beyond government-mandated applications has become a risk for companies. These members are taking steps to reduce their use of SSNs in favor of single-domain or context-specific identifiers.

It would be a mistake for the government to seek a wholesale replacement of the SSN, however. That would cost billions of dollars and create confusion for millions of consumers while offering little security benefit.

The current state: There is no such thing as a “strong” password or “secret” SSN in America, and we should stop trying to pretend otherwise. Just as millions of Social Security numbers have been compromised, so too have passwords and other “shared secrets.” Verizon’s 2017 Data Breach Investigations Report revealed that 81% of all breaches were enabled by compromised passwords.

Where we need to go: The country needs to move away from passwords and the SSN and toward stronger forms of authentication, based on multiple factors that are not vulnerable to common attacks.

How we can get there: The good news is that industry and government have recognized the problems with outdated authenticators such as passwords and SSNs, working together these past few years to make strong authentication easier. Efforts involving multiple stakeholders — such as the Fast Identity Online (FIDO) Alliance, the World Wide Web Consortium (W3C) and the Global System for Mobile Communications Association (GSMA) — have resulted in standards for next-generation authentication that are being embedded in most devices, operating systems and browsers in a way that enhances security, privacy and user experience.

The federal government should continue its work on promoting strong authentication in sectors such as financial services, health care, and government and consumer applications, as well as modernizing rules that govern the use of strong authentication and reducing barriers to its adoption.

The current state: Consumers and businesses operate in environments beyond American borders, and other countries are also contemplating new approaches to making identity systems better.

Where we need to go: The United States should look for ways to coordinate with other countries and harmonize requirements, standards and frameworks where feasible and compatible with American values.

How we can get there: As the U.S. develops better identity solutions, policymakers should explore how those can be aligned with global efforts such as Europe’s go.eIDAS initiative and ongoing work by the Financial Action Task Force (FATF). Such coordination would allow Americans to more easily conduct business on the global stage.

The current state: Consumers and businesses unknowingly put their digital identities at risk and might be unaware of safer methods.

Where we need to go: As the country works to improve its identity ecosystem, Americans must be aware of new identity solutions and how to best use them.

How we can get there: Government should partner with industry to educate both consumers and businesses and promote modern identity management approaches and best practices. The National Cyber Security Alliance (NCSA) — which has a strong record of driving public-private partnerships to educate the public on cybersecurity — should be engaged to promote better identity outcomes.