> I think the solution is to make SSN useless for anything.
It is rapidly approaching that point by virtue of all these breaches. SSNs are like gold or fiat currency: they only hold value because they are relatively scarce. If too many are in circulation, then no institution will trust them, which makes them useless.
> If people are worried the masses are too dumb for PKI
Use OAuth to communicate with a central service that uses FIDO2 for authentication. Easy to use, easy to revoke, almost impossible to pwn.
Is an SSN really "useless", though? The problem is that the heaviest costs of stolen identity are borne primarily by the individual victim, not by the company which got hoodwinked.
Useless is not the term of art. It is brittle. So, very, very brittle.
Costs born by the victim are not the only problem. It is that the brittleness of SSN makes it impossible to lay the costs at the feet of the proper "company which got hoodwinked".
You must share your SSN 100 times for: work, home, credit, school, health. All of them have been popped 5 times each. 20 years later, you are victimized. Who pays?
SSN should be deprecated. You can pretty quickly reason to public/private-key SSN alternatives. The US government would actually do it for the consumer (this term) but the US probably doesn't want to pay it's share of the replacement cost to do so.
Since all those companies can plausibly point to someone else, the victim pays! Which is just how they like it — privatize the profits and socialize the losses.
What would actually get creditors to stop using social security numbers is if the SSN's utility as a proxy for creditworthiness drops. But that won't happen, even with many more breaches, because individual consumers need to do everything they can to keep their credit scores up.
> Still, we should demand it.
Yep. The market will not drive this. It will have to be consumers, speaking collectively through the government, imposing regulations.
It is rapidly approaching that point by virtue of all these breaches. SSNs are like gold or fiat currency: they only hold value because they are relatively scarce. If too many are in circulation, then no institution will trust them, which makes them useless.
> If people are worried the masses are too dumb for PKI
Use OAuth to communicate with a central service that uses FIDO2 for authentication. Easy to use, easy to revoke, almost impossible to pwn.