Considering that Social Security numbers are not secure, and were never intended to be secure, I favor this approach. Unless you’re the federal government, you shouldn’t know or care about my social security number. Idiots are always going to think SSNs are a good UUID, and I’m always in favor of punishing idiots.

almost 20 years ago when working for british telecom we where read the riot act an where told any non permitted use on NI numbers would be considered gross misconduct and you would be sacked on the spot.

> ah lovely "papers please citizen" and what happen when friend computer with all this proof of identity gets hacked.

While it doesn't solve the "papers please" aspect:

1. Card holds biometric data of person, plus PIN. Card is the only thing that holds this.

2. All card does is output "yes or no" if you are you.

3. You have or use a reader for authenticating who you are. The reader takes you biometric data (fingerprint scan, face scan, or something else), and has you enter your pin. It takes this info, hashes it, compares to the stored info, and outputs the "yes" or "no" answer.

Very basic thing here. 3-factor, and the data about you is never stored anywhere, and the card/reader combo does the rest. The data about you never leaves the card (in fact, it can't - it would be write only for that data).

We have all the technology to do this today. What we don't have is the will. So it won't be implemented.

I'm not saying the above is perfect - but it is 3-factor (what you are, what you have, what you know), and that is what is needed most. The information stays with the owner on the card. All transactions can only be done with the card on-hand to prove you are you. You can change the PIN at will, maybe even the biometric data - but both are write-only, and can't leave the card. The card can read in data (an image for the biometric data, and the code for the PIN), but all it does is hash that together, compare it to the stored hash, and output a yes/no.

I'm not saying the above is perfect, and I am sure I have forgotten something. But it - or something like it - is what we ultimately need. But we won't get it. Ever.

If the card outputs "yes" or "no" you are creating new security incidents just waiting to happen - proxying, oracular attacks, faux cards that respond improperly to the binary question, etc. This means that your system is actually two factor, a pin and biometrics. A pin is extremely weak, and for sure biometrics need to be designed and implemented properly.

Also, notice the other subtle dependency that was introduced with the PIN only kept on the card - the PIN might as well not exist.

This is all known. The issue isn't how to design a security system. The issue is the fly by the seat of the pants lack of security with deadline driven products. Those products only appear to implement a feature set and really don't work, just appearing to work in order to achieve the release exit criteria of a minimum viable product. This gets compounded by products hardly ever revisiting their earlier phases, choosing in this case to add new web features instead of hiring a security team.

True only if the papers are issued by government. A private or non-profit scheme, if hacked, could be abandoned within hours and replaced. To post this comment i had to present some virtual ID to a private organization.