Why the Equifax Breach Should Not Have Mattered

TL;DR

This paper critiques the use of publicly known identity attributes for authentication, proposing a cryptographic protocol to enhance security and reduce identity theft risks in online services.

Contribution

It introduces a simple public-key cryptography protocol that makes remote identity claims verifiable, improving security practices for service providers.

Findings

The protocol enables verifiable identity assertions over the Internet.

It significantly reduces the risk of identity theft for consumers.

The approach can be adopted by credit and rental agencies to improve security.

Abstract

Data security, which is concerned with the prevention of unauthorized access to computers, databases, and websites, helps protect digital privacy and ensure data integrity. It is extremely difficult, however, to make security watertight, and security breaches are not uncommon. The consequences of stolen credentials go well beyond the leakage of other types of information because they can further compromise other systems. This paper criticizes the practice of using clear-text identity attributes, such as Social Security or driver's license numbers -- which are in principle not even secret -- as acceptable authentication tokens or assertions of ownership, and proposes a simple protocol that straightforwardly applies public-key cryptography to make identity claims verifiable, even when they are issued remotely via the Internet. This protocol has the potential of elevating the business practices of credit providers, rental agencies, and other service companies that have hitherto exposed consumers to the risk of identity theft, to where identity theft becomes virtually impossible.