[mjevans]

I agree with https://twitter.com/constmontague/status/1213309357204688899

"... we need a new personal identifier, SSNs are all stolen at this point"

Though identity and authentication should be different things, as an identifier the only real problem with SSNs is that we should be using UUIDs instead.

The hard part is authentication, which should have a far more secure process than merely knowing 9 digits everyone (re)uses.

[mjevans]

Maybe it would be more clear if I used some examples.

Identity: mjevans on news.ycombinator.com

Authentication: is allowed to post as (Identity), is allowed to vote on things, etc.

Identity alone should not imply authorization, when someone is asking for a proof of identity what they really want is a record that you are actually an identity (authorization).

[rexer]

I think you may have authentication and authorization swapped.

[mjevans]

You're correct in that I'm grouping authentication and authorization.

The three types of tuples would include:

An identity (E.G. a person at an address).

Proof that you are that person at that address.

A list of things you're allowed to do at that address (IRL laws, or for a computer account publishing as that address/etc).

[tialaramex]

SSNs are much too short, and were mostly issued in a foolish and predictable way (if you're a kid you might have a random SSN but most Americans still have ones issued the old way). Given the US plausible population load, issuing a randomly chosen 12 digit number incorporating a check digit would have been a better start.

But the authentication problem is the tricky part though, governments don't have a reliable way to authenticate their citizens today and even if you have a good will intent to fix this, that can be hijacked by people with less saintly motives. See India or China for how that might not go well.

[avital]

The Netherlands has a digital government sign-in ("DigID") which works very well, secured using text messaging or 2 factor auth. With it you view all of your official documents across all branches of government. It allows for delegating permissions (say between a married couple). It's really great and shows that with competence these systems work out great.

[kwhitefoot]

> governments don't have a reliable way to authenticate their citizens today

Yours might not but mine (Norway) seems to work quite well.

[miki123211]

I think we need a worldwide, federated identity system.

There should be multiple identity providers, mostly governments and organizations who already have lots of info about you, for example banks. This already works in Poland and several other european countries. Such organizations should verify that you are you the way they currently do, and give you a way of authorizing yourself, i.e. sms, mobile app, one time passwords etc. If someone needed to verify your identity, they would go through your chosen org for authentication. This approach has several benefits.

1. You can provide as much or as little info as you want. The info you provide could include true/false assertions. For example, a porn website could just ask the org whether your age >= 18, without the need to know your exact birthdate,. Same for citizenship, disability, criminal record etc.

2. You can easily integrate that with other services, for example payments or even a secure communication channel, letting companies contact you without learning any details about you. There could even be a secure shipping service, where the company selling you the product only gets a special qr code to stick on the package,. Only one shipping company would get your real address, the rest would just know the next leg of the route.

3. You could provide instant "not a robot" verification, without any captchas, without any personal data and without any hassle. The authorizing org would just give the requestor a token, different for each visit, that they could send with a "add to blacklist request". The next time a blacklisted user would try to log in to that service, their org would refuse to provide the token.

4. Ability to provide legal accountability without rewealing anything. The authenticating org would just provide a token to a service. The user could do whatever they wished, but, in case they'd do something illegal, the police could just force the org to actaully reveal who was behind that token.

Of course, the system would have to be regulated by a global body of governments or organizations. Each org would have certain resoponsibilities, i.e. allowing you to port your id to somewhere else, not requesting more data than necessary, honoring blacklists etc. If that system existed, implementing a safe, seamless online and real0-life experience would be trivial. Just imagine if it would be trivial to trace each website, each comment, everything to a real person with a court order, while not giving most companies any data whatsoever.

[g2graman]

If we had a worldwide, federated identity system, there's a problem with this I can already see: what's stopping nation's like China from expanding their social credit system to the population of the world then, against their will for example? For what purpose, I can't know, but it doesn't seem ideal.

On one hand, it would be incredibly useful to only ever have to deal with one service or standard for identities (and that could include the possibility of making things easier for identity theft products to do their job) but it brings with it these other risks around centralizing that kind of information.

[Nextgrid]

What prevents them from doing so now? They can already scrape public internet activity and create social credit profiles based on that.

Here I am posting a picture of Winnie The Pooh which I know Xi Jinping absolutely loves: https://ohmy.disney.com/wp-content/uploads/2016/01/Pooh.jpg and my "social credit" is presumably now at zero.

Thankfully I am not in China, never will be, so even if the Chinese social credit system hates me I can still take a train, get on a plane, etc.

[scarmig]

China already has identities for most people in developed countries. Everyone reading this is already in their systems.

[hakfoo]

Trying to control data by by format restrictions seems a little iffy.

If you offered a "isOver18" call to avoid exposing an actual age or date of birth record, you'd have to offer a whole range of others for a lot of legitimate needs (isOver21 for alcohol sales, isOver59.5 for some retirement account stuff, isOver55/60/65 for senior discounts, etc).

You could chain a bunch of those to at least pull a marketing-sufficient age category, and potentially a full age or DOB depending the number of such functions offered.'

If the identity providers asked users each time for consent a verification request cane in, that could limit that abuse pattern, but I suspect it would be the sort of thing where users got notification fatigue very fast and just start clicking "don't ask me again".

[judge2020]

> There should be multiple identity providers

I think we already have that: Google ;)

The only difference is that Google doesn't provide identity verification, only identity validation when you have previous knowledge of a Google account being associated to a user account.

[scarmig]

I would love it if emails were typically gathered by OIDC scope requests, and the provider would always provide an email address that could be traced to the audience. Something like mail@{ENC(sub + aud)}.oidcp.com.

[floatingatoll]

Can we calculate reproducible cryptographic private keys from fingerprints?

If you solve that, you'll unlock an entire business model centered around "anonymous entities that can be regenerated at any time using a biometrics booth at the mall and a secret passphrase known only to you".

[playeren]

That's even worse. Impossible to change fingerprints if a malicious party has your biometrics.

[prox]

Secure enclave like with Ios is an option. You never give your biometrics away.

[playeren]

Sure, I'm all for a key based solution. My opposition is against using biometrics for anything beyond convenience features.

[tialaramex]

Biometrics are relatively convenient and very safe when they're used in place (not remotely) with a human agent overseeing. No cops have ever let a suspect pop out to buy a 3D printer and some custom moulds before taking their prints. The airbase's gate guard isn't going to let you substitute a custom-made adversarial JPEG image for your face after asking you to roll down the window even though her normal job is statistical analysis and she has never fired that weapon she's carrying in anger.

They're not great without supervision and they're completely hopeless remotely.

[playeren]

> Biometrics are relatively convenient and very safe when they're used in place (not remotely) with a human agent overseeing.

In your estimate, how large a percentage of biometric security implementations follow your description?

[BLanen]

Yea but you'd literally be leaving your private key everywhere you are.

[floatingatoll]

If you seared your passphrase into your fingertips, sure. There's a reason it's not just 'fingerprints only' or 'passphrase only'.

[toohotatopic]

It already exists, it's your phone.

There are some limits in linking it to existing identifiers like names or SSNs. However, that doesn't matter because due to its nature, the phone leaves a trail. Any serious abuse can be punished.

[gondo]

This is a terrible, TERRIBLE idea. Especially for people who move a lot. Phone numbers get reused. I am currently maintaining 4 SIM cards just to keep services relaying on them active. About 2 months ago I forgot to recharge one of those SIM cards and was locked out of one of my bank accounts.

[toohotatopic]

Why don't you register all services with one SIM and use a Dual-SIM phone to get cheap rates on another card?

Since we are talking about introducing a new identity system, isn't it easier to resolve the problems you mentioned than to introduce something new?

[gondo]

Because some services (banks) restrict phone numbers to only local (same country) ones.

[q_andrew]

India has a sim card system like this, but it is actually even less secure and shockingly easy to game. That's not even counting for the fact that not everyone has a cell phone (a minority, but still exists).

[toohotatopic]

How do you game it apart from stealing a phone? It may be easy to get another identity but that's a feature.

If somebody commits a serious crime, the joined location of the phones will reveal the true identity unless somebody invests an amount of effort that's equal to buying a new passport.

[judge2020]

I imagine sim swapping is a thing over there as well, maybe even easier to do than in the US.

[toohotatopic]

So you get several identities. How do you game the system?

Intelligent agencies have failed to keep their phone usage cleanly separated. It's not that easy.

E.g. if you want to avoid progressive income taxes by registering several companies, your burner phone stands out because it doesn't have any other contacts. That will be further investigated.

Then you need the name of a living person who doesn't use a mobile phone to register it because otherwise, he would operate two phones at two different places. Another red flag.

[clairity]

UUIDs are a terrible idea, as you're completely ignoring the UX of SSNs (short, just numbers, easy to remember, structured, etc.)

SSNs are account numbers, and only account numbers, for your social security benefits, not an all-purpose resident identity number. they've only been co-opted to be such identifiers because everyone wants to piggyback on, and not additionally pay for, the extra measures the SSA has taken to uniquely identify workers when granting the numbers so we can't easily steal each others' retirement benefits.

tl;dr: SSNs are (financial) account numbers, not people identifiers, and should be treated like bank account numbers (for example).

[idhdu7dhj3ej]

This will never happen in a useful fashion at the federal level unless the Republicans get the house, Senate, and Presidency again and don't waste the time bickering with themselves. It would have to be implemented on a state by state basis. A national identifier would be able to exclude illegal immigrants too easily for the Democrats to support it. Over 1/3 illegal immigrants in America use ssn's of other people, most stolen but some belonging to friends or relatives. I realize this might seem inflammatory as a post but this simply isn't a situation that can be removed from American politics in this instance.

Edit: And for people who think I'm making this up, the GAO literally inquired with the IRS about the fraudent ssn use matter.

Edit 2: Lots of metric input but no comments. If you're browsing idly, let this be an example of HN culture for you.