SSNs are dead. The most recent Equifax hack confirms that.
In a post-SSN world, using one for authenticating an identity is a recklessly insecure business practice that will leave you susceptible to fraud.
For years, we at Cognito have been trying to find ways to move past the old world of identity verification that relies on possession of data. Not only are the industry-standard methods of KBA and SSN verification insecure, but they are also onerous for your customers. The Social Security Number was never supposed to be the private key to your life as it is used today. It emerged as one because it was purported to be secret; the act of knowing a Social Security Number was considered sufficient proof that you are who you claim to be. Thanks to Equifax, that narrative no longer holds any merit.
Beyond the secrecy issue, the primary issue with a Social Security Number is that it is not an authenticatable number, meaning that if your SSN is leaked, anyone is able to use it. When we created Cognito, we needed a number that uniquely identifies a person while also being authenticatable. A phone number fits this description perfectly.
Using the phone number as a person’s primary identifier is advantageous for a few reasons:
Phone numbers are ubiquitous. 95% of adults in the US have one and tend to keep the same one for life. This means that there is a very high likelihood that your user has a phone number.
Possession can be proven. Verifying possession of a phone number creates a link between the actual person and their number. Using Cognito creates a link between that phone number and the identity.
Higher barriers to attack. Basing the verification around a phone number creates a much higher barrier to fraudulent activity. Relying on an old verification system would allow a fraudster to commit fraud simply by buying stolen identities on the black market. A company using Cognito removes that possibility and would require a fraudster to try to gain access to a user’s phone, which is much more difficult.
Obtaining the SSN of a user will still be necessary for KYC compliance, which means SSNs won’t disappear completely until new regulations are adopted or guidance is given. To help with this requirement, Cognito retrieves the full SSN of a user so that businesses can remain in compliance.
Additionally, despite the massive leak, SSNs have not lost all functionality in an identity verification process. Having some form of unique identifier to associate with an person is still highly valuable for identity verification. Similarly to dates of birth or other non-secretive identifying data, SSNs can help filter through results to locate an identity. With gradual verifications, Cognito can use SSNs in this manner to improve match results.
Any company relying on SSNs to authenticate an identity should be concerned with the release of 143 million SSNs. Cognito is the solution to secure your business and ensure a reliable KYC process in a post-SSN world.