Hacker News new | past | comments | ask | show | jobs | submit login

Relying on it is not the problem. Treating it (or "date of birth" or "mother's maiden name") as a secret for use in authentication is a big problem. These things are not secret, and having me say mine does not prove that you're talking to me.



In my (shared) office, everyone knew each other's last 4 SSN digits, because whenever on the phone to some random customer service rep, we had to give them to "authenticate".


> Relying on it is not the problem. Treating it (or "date of birth" or "mother's maiden name") as a secret for use in authentication is a big problem.

I honestly don't see how you didn't just restate what I said with different language, while simultaneously saying you disagree with me.

Either way, I agree, and don't really think this is worth a cyber-argument so not sure if I should even be responding. Oh well.


It would be just fine to rely on SSN as an identifier, even to a much larger scale as USA does now, if only it would be clearly assumed that this number isn't secret.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: