I keep running across companies that still, in 2018, are using the last four digits of SSN or mother’s maiden name as an authenticator. We have 170+ million reasons why that’s a bad idea, and yet it persists. That’s beyond inertia, past laziness, and nearly into negligence territory. It’s time to end the practice of using easily discoverable information as an authenticator – especially those two, and especially to setup or validate new accounts. It’ll take everyone working together to kill off this terrible practice.
If you are a customer of a company that does it, ask to set a password on the account instead (then call later and check to make sure that they actually enforce it!). If they don’t allow you to do that, or fail to enforce it, then get on social media and shame them. One company I use will let you do it, but they’ve created a massive barrier – they let you create an insecure authenticator over the phone or line, but require a time consuming in-person visit to use a secure one!
If you’re a developer and asked to write code to implement SSN based authentication, push back. If you’re the business analyst who wrote that requirement, change it. If you’re the executive who approved the requirements, unapproved it. If you’re the QA engineer who tested a system that uses it, fail it. If you’re a security professional, launch a project to remove it from legacy systems.
If you’re an auditor reviewing a system that uses SSN like this, fail them. If you’re a regulator defining acceptable practices, ban it. If you’re a congresscritter, outlaw it. Everyone, everywhere, needs to push back on this outdated, dangerous and lazy approach to security.
For new account setup, knowledge based authentication (KBA) has issues (particularly after the recent breaches), but it’s still better than a raw SSN. For existing accounts, two-factor via SMS isn’t perfect, but it’s better than single-factor, or use out-of-band (e.g. US Mail) to send a 6+ digit random PIN code. Or one of many other alternatives that doesn’t use the single most targeted and compromised piece of personal information in existence.
Security is the poster child for continuous improvement – let’s make it better tomorrow than it is today. Retiring the ‘last four digits of your SSN’ is a darned good first step.