"Login" using Name, DOB and SSN

2 Mar 2011 - 12:16pm
3 years ago
5 replies
1728 reads
Don Habas
2008

Scenario :

User is filling out a long application for a financial product.  At first, they were going to have the ability to create and ID and password, so they can come back and continue at a later time.  However, due to scope reduction, they were suggesting the option of having the user log in to continue using their name, date of birth, and SSN.  

Not going to be enough time for testing (except for walking around the office to get feedback).

How do you think applicants would feel about this?

Comments

2 Mar 2011 - 12:39pm
Don Habas
2008

Just to clarify, they wouldn't sign up with that info...only come back an log back in.  It's some of the info we collect in their application, so we already have that data in their record.

They come back to continue their application, and they are asked to retrieve their saved app by providing their name, SSN and DOB.

2 Mar 2011 - 12:49pm
Josh B Williams
2010

My girlfriend was filling out her FAFSA[1] this morning and that is how they do their login. Name, SSN, DOB, and an electronic pin they assign you.

[1] http://www.fafsa.ed.gov/

2 Mar 2011 - 1:15pm
Dana Chisnell
2008

First thing I have to ask is, Why are you asking users to provide this information? My second question is What are you doing with it? From the user's point of view, there are two things to think about: memorability and security.

For financial services applications, there are also regulatory considerations, but I'll get to that later.

When users log in with DOB and SSN, you're definitely making it easy for users to enter the information. These bits of data have a lot to do with their identities; this is stuff they know and don't forget. For authentication, it appears to be nice, because the combination uniquely identifies the user.

However, in terms of security, what you're doing with DOB and SSN is just substituting a password that is supposed to be secret with one that can easily be looked up in public records. This is not secure. Knowing that, I'm wondering why you need three pieces of ID to authenticate the user.

I'm also wondering how that log in information is being stored on the server. Is it encrypted? If not, you're doing nothing other than asking users to take extra steps that may compromise their personal security and subject them to identity theft.

If all you need is an identifier and not authentication, then just ask for an email address as the username. If you must authenticate, use a password or PIN.

By the way, it isn't uncommon for people to use their DOB or SSN as their passwords, anyway. Not a good practice, but people do it. And again by the way, there may be US Federal regulations or state regulations that prevent requiring SSN as identification or authentication for bank or brokerage accounts. You should check with your legal / compliance team before you go too far with that. I'm surprised that FASFA uses SSN for authentication.

Dana

3 Mar 2011 - 1:24pm
Don Habas
2008

Thanks Dana.

Why are we asking for SSN?   Underwiting requirements, identity verification with third-party vendors, checks against OFAC lists, etc.    We're not gathering SSN for the sake of just collecting it.  We're fine with regulatory considerations.  Legal and Compliance depts are well aware of this.

2 Mar 2011 - 9:22pm
bmeunier
2007

In Canada, giving your SSN for no particular reason is illegal and we are regularly reminding about it. For a lot of users, even if the financial institutions can ask for it, it will be frightening. So trust will be difficult to establish.

Syndicate content Get the feed