In the wake of the Equifax breach and countless others compromising Americans’ privacy, one thing has become clear: It’s time to get rid of Social Security numbers.
While a string of digits on a paper card did the job in the 1930s, and got the government’s stamp of approval for identification purposes in 1972, it’s irresponsible for those nine numbers to continue to be the universal identifier for every part of our lives. We can do better; even the White House says so.
But the natural follow-up question—“What’s the replacement?”—is where things get complicated. We could have a digital, national ID card system like Estonia, but that’s proven to have its own security issues. We could use biometric technology to validate identities, using retina scans or facial recognition software, but these systems aren’t foolproof.
What about blockchain? Does the new, buzzy technology have the potential to one day replace Social Security numbers?
The best answer we have right now is: possibly. Blockchain is the technology behind encrypted, public ledgers for storing data that cannot be erased or changed without leaving a record. It is really good at controlling information and avoiding duplication, which makes it an interesting solution for governing identities. But it’s not a rip and replace for Social Security numbers. In my 20-year career in the technology industry, blockchain is one of the most intricate and unwieldy technologies I’ve seen, so a lot of work must be done to make it a workable backbone for identity management.
To get blockchain ready for primetime, collaboration between the private and public sectors will be critical. Project Jasper, a joint effort between the private sector and Canada’s central bank and payment systems operator over the past two years, is a good example of this type of work, and is a blueprint that the U.S. should follow if we ever want to see blockchain become a viable Social Security number replacement.
Looking ahead, here are three of the most pressing issues with blockchain we’ll have to address before we can consider it as a universal identifier.
Calling all regulators
Blockchain’s lack of regulation is exactly why early adopters in the cryptocurrency world love it, but that’s not viable for something as sensitive as identity. We need a trusted entity to establish some legal and enforceable rules for how it will all work, including basic protections for consumers. For example, if someone robs a bank and steals all the money out of the vault, customer account balances don’t change; they’re protected. At this point, unregulated Bitcoin users don’t enjoy the same benefit.
Regulators will also need to figure out how to manage the irreversible nature of blockchain. Given that blockchain stores information on a distributed and ever-changing database, regulators must put parameters in place that will allow people to somehow reverse or fix problems tied to their identities. Currently, a victim of identity theft cannot change their Social Security number, which is the primary reason why White House cybersecurity czar Rob Joyce is advocating for a new system. If regulatory bodies can’t find a solution, this may be a dealbreaker for blockchain.
Universal adoption required
Most consumers value user experience over privacy, proven time and time again by their willingness to share their locations, contact lists, and more with countless apps on their smartphones. In order for a highly complicated technology like blockchain to be accessible and adopted by every single person in the U.S., just like their Social Security card is, we’ve got a lot of bootstrapping to do.
To have an identity on blockchain, individuals are assigned a key that must be used to access and control their personal information. But where do they store this key? And what happens if they lose their key? How do they safely give others access to this key? The obvious answer is that you build an app to do it all. Enter the security problem.
Overcoming the insecurity cycle
Social Security numbers leave us vulnerable. The need to better secure and manage our identities is the whole reason we’re having this discussion. While blockchain has the ability to significantly improve identity management and security, that effort could go to waste the moment you put the key to all of that information in an app.
It’s an insecure loop. A user is assigned a key. Then they download an app, create an account, and store the key in the wallet on their smartphone, which is then stored in the cloud. All of the sudden you’re back at square one. An application storing the key to everyone’s identifying information—passports, birth certificates, medical records, you name it—is certain to have a target on its back. That’s why it is imperative to enforce strict standards for not only the security posture of the application holding the key, but the encryption protecting the key itself. Security is too often an afterthought for developers, and we cannot take that risk for something as important as our identities.
There’s no doubt that blockchain will play a role in the future of identity management, but the extent to which it is used will depend on our ability to think beyond our current solution set and apply emerging technologies to build a secure and compliant user experience. More endeavors like Project Jasper, where the private and public sector work together, are needed if the government wants to realistically replace Social Security numbers with blockchain.
Frederic Kerrest is the co-founder and COO of Okta.