jedberg

> Recommendation 6: Reduce Use of Social Security Numbers as Personal Identifiers The executive branch should work with the private sector to reduce reliance on Social Security numbers.

I'm disappointed this is recommendation 6, but at least it is in there. I'm also disappointed that they suggest the executive fix this problem instead of legislating a solution. Hopefully they take some action on their own recommendation!

dragontamer

The executive branch is the proper solution.

If Congress mandates a solution, then it'd be like the VHS stuff all over again. Congress writes a thingy about VHS in the 1980s, and its completely irrelevant 10 years later. (If a law states that something with VHS is done a certain way, will it apply to DVDs or BluRays when they are invented 10 years later? Or to streaming media 20 years later??)

The Executive Branch is the one that actually runs the government. Legislative Branch / Congress sets policies, but shouldn't set solutions. Law goes out of date incredibly quickly.

Ex: If Congress says that RSA Tokens are to be used instead of SSNs, what happens if a better invention (ex: Google Titan) comes out? Furthermore, even if Congress writes a certain policy down (ex: Two Factor Authentication is necessary to protect bank accounts), the Executive Branch is still the ones who enforce the matter.

So in the case of Two Factor Authentication (legal requirement of banks to protect your bank account), the Executive Branch says that "3-personal questions + Password" counts as two-factor security in the USA. And that's why you have so many banks implementing "3-secret questions".

------------

So regardless, the job will come down to the Executive Branch.

hannasanarion

Social security isn't a piece of technology, it's a government program. How is it in any way like VHS?

dragontamer
Whatever will replace SSNs will be a piece of technology. Ideally, something that uses public/private key encryption.

There's a lot of things that use public/private keys however, or security tokens, or whatnot. Should it be a smartphone app? A hardware dongle? Etc. etc. If a hardware dongle, which one?

As such, its the Executive Branch's job to research the various technologies, and implement a new standard to solve the online identity problem.

----------

For example, 18f (White House's crack website team) has the following: https://login.gov/

Github code here: https://github.com/18F/identity-idp

If single-sign on were widely deployed across US Agencies (and tied to financial services / private sector banks), we'd be in a way better place.

In any case, this is clearly the realm of the Executive Branch. Specifically 18f probably should continue to lead the effort, as they have been.