Experts Warn Against Using National ID Numbers for Authentication

Security experts are urging private-sector companies to stop using Social Security numbers and other national identifiers as primary factors for identity authentication [1, 2].

This shift is critical because static identifiers are frequently exposed in large-scale data breaches, making them unreliable for verifying a person's true identity. When companies rely on these numbers, they create a vulnerability that cybercriminals can easily exploit to hijack accounts or steal sensitive data.

In the U.S., the use of Social Security numbers and birth dates as knowledge-based authentication factors is considered insecure ^[1]. These identifiers are often widely known or easily obtained through the dark web following corporate hacks. Because these numbers do not change over a lifetime, once they are leaked, the security they provide is permanently compromised ^[1].

Similar warnings have been issued in Singapore regarding the use of National Registration Identity Card (NRIC) numbers [2, 3]. Government agencies have urged the private sector to stop using full or partial NRIC numbers for authentication purposes [3, 4]. Experts said that such advisories were long overdue, as the reliance on these identifiers undermines the overall security posture of the digital economy ^[2].

Knowledge-based authentication relies on the assumption that only the user and the company know the specific piece of information. However, the prevalence of data breaches has turned these private identifiers into public commodities [1, 4]. Security professionals recommend moving toward multi-factor authentication methods that do not rely on static, leakable data points.

Companies that continue to use these identifiers face higher risks of fraud. The transition to more secure methods is seen as a necessary step to protect consumer privacy, and prevent the massive crime industries that profit from hacked identity data ^[1].