Why not use a national ID as username for every website?

Question

Everyday we visit many websites, including our university's website, maybe Google, Yahoo, etc. But on each of them, we have a unique username, while each person in a country can have a "national code" such that no persons share a code. So, they could use their national code as their username on every website.

Why not? Why isn't this the situation? Wouldn't it be better if we had one username for all of the websites in the world? Does it have something to do with security?

Comments are not for extended discussion; this conversation has been moved to chat. — Rory Alsop, Oct 17 '17 at 21:52
“Wouldn't it be better if we had one username for all of the websites in the world?” Um, no? — Paul D. Waite, Oct 18 '17 at 21:30
+1, because while certainly a naive question, I have heard similar things from many people. — Nacht, Oct 18 '17 at 23:20
So for things like your bank, the tax authority, signing contracts, there's something in Sweden called mobileBankId. Give your id number to the website, and then by magic a request to verify yourself comes to the app on your phone. I haven't seen it for more "frivolous" services. It's like a more cautious version of single sign on. — Nathan, Oct 19 '17 at 08:36
Email address, Twitter connect, Facebook connect etc are ways in which you can already do this... — ESR, Oct 20 '17 at 01:26
Certain websites using beacons are already doing this to track the browsing behaviours of individuals. Software attempting to block these attempts is widely available and used by people who view it as an unethical invasion of privacy. There are many people who don't want all their accounts tied to a single person and in fact like having their actions on one website appear separate to their actions on another. Would you be happy with your university knowing which porn websites you visit or what heinous insults you use on 4chan? — Pharap, Oct 20 '17 at 04:10
Well, Facebook, Google and the like are already establishing Internet-national IDs for you to single-sign-on. And they are the best examples why this is a bad idea the way it works right now. Central institutions have power over your identity and use it to track your every move. Also, you might want to switch your identity from time to time, but with this mechanism, you’re not supposed or allowed to. Facebook and Google have real name policies to help China and US prosecute you for speaking out (known as hate speech). — Arc, Oct 20 '17 at 11:05
US SSNs also have very little entropy now. For tax reasons parents now quickly get an SSN for their kids and they're based on location, last name, date of registration, and a non-sequential counter. — bgiles, Oct 20 '17 at 21:00
Missed the time window to edit... given just the last name, city (or just state?) of birth, and birthdate some researchers claim to be able to reliably guess the person's SSN down to just a handful of possibilities. Before the IRS required SSN for all claimed dependents many parents put it off until the oldest child hit first grade so the birth date and sequence number (based on registration date) were far less tightly coupled, to say nothing of parents moving in the meanwhile. — bgiles, Oct 20 '17 at 21:09
At First, create a Gmail account. WIth this account register facebook. Then you will have almost every website to connect with these two accounts. If you can't connect with Gmail or Facebook to a website, don't register there. — Moshii, Oct 23 '17 at 10:21
Think of all the places where you created an account (all of them). Now imagine that you use the same account name of all of them. Now imagine that it is possible to know if a given username exists on a particular website. — njzk2, Oct 24 '17 at 04:37

score 270 · Accepted Answer · answered Oct 16 '17 at 18:22

270

Privacy. Being able to link every user account to a natural person would be the end of anonymity on the Internet. Maybe you have nothing to hide, so that's of no concern for you. But as Edward Snowden said: "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say".
Not every person on the planet would have a national ID number. There are countries in the world which don't give ID numbers to their citizens. In some regions of the world, residency registration is spotty at best or nonexistent. People from these countries could no longer actively use the Internet anymore. Also, there are edge-cases like stateless people, people with multiple citizenships or people from disputed territories.
In those countries which do have ID numbers, you have the problem of proving that someone is indeed the owner of an ID number. Because your ID number is public knowledge, I could use it to register in your name on any website I want, thus stealing your identity.

A solution to this problem would be a state-supported authentication service (something like OAuth). But considering how many governments there are in the world, it would be impossible to agree on a protocol standard which is supported by everyone all over the world. And if you do somehow get the ~200 or so governments in the world to cooperate on something (a feat worthy of a Nobel Peace Prize), you now put a tremendous responsibility into their hands. Not only could they very easily prevent their citizens from using any services they don't like by no longer authenticating their citizens to it, they could also impersonate their citizens on any website.

answered Oct 16 '17 at 18:22

Philipp

49,384
8
129
160

90

Don't forget hacking - let's say crappysite.com has a leak: I can now reverse brute force across tons of other sites using the leaked password and your global ID (because password reuse is common). – Blackhawk Oct 16 '17 at 20:34
38

And to your point about privacy, consider the absolute field day advertisers would have correlating activity across different websites. No longer do they have to resort to fingerprinting! – Blackhawk Oct 16 '17 at 20:36
@Blackhawk I didn't find either point worth adding because it's really just a slight upgrade on problems we already have. Linking accounts to each other when you have all PII available to both sites isn't actually very hard and advertisement trackers are already able to trace the majority of internet users very reliably. – Philipp Oct 16 '17 at 20:39
True, but I'm guessing the OP is possibly not aware of the details of PII as an info security domain, so I went for the practical examples. Also +1 for suggesting federated identity management - I think the OP might be interested to specifically check out Google Identity Platform or other examples. – Blackhawk Oct 16 '17 at 21:02
20

@Blackhawk To be fair, most people use the same email address and/or username too, so the first problem already exists, just on a smaller scale. – Jon Bentley Oct 16 '17 at 21:29
1

You could give the specific example of US to point 2. – OganM Oct 16 '17 at 22:27
2

@OganM The US have their social security numbers. Although they were never intended to be an unique identifier for each citizen, they are de-facto used as such. – Philipp Oct 16 '17 at 22:31
not every citizen has one though. even if they are rare they do exists. – OganM Oct 16 '17 at 22:53
Add corrupt governments to this issuing fake and incorrect ID numbers. Seen this before. – Namphibian Oct 17 '17 at 01:44
3

@Philipp: SSNs would be terrible for this because they directly enable identity theft. If you're going to collect them, you need to have a level of OpSec substantially beyond that contemplated by the OP. – Kevin Oct 17 '17 at 03:47
18

@Kevin : SSNs only enable identity theft because people are misusing them as authenticators. This should be stopped by the US government providing a website which allows anyone to look up an individual's SSN given name, and DOB (but not to do the reverse lookup). – Martin Bonner supports Monica Oct 17 '17 at 13:32
13

The discussion about the shortcomings of US Social Security Numbers as authentication factors and how that system cold be fixed is certainly interesting, but not really relevant to this answer. – Philipp Oct 17 '17 at 13:44
1

I always loved that quote - Jean Michel Jarre & Edward Snowden - Exit – MrLore Oct 17 '17 at 15:45
That last paragraph, at least one country wouldn't be agree with such thing, North Korea. That will be two if you count Republic of China also. – adadion Oct 18 '17 at 15:38
10

Everybody has something to hide. Maybe you're taking a one week vacation and you don't want thieves to know when your house/apartment is going to be empty that week. Or maybe, you don't want the people in your neighborhood to know that you have $10,000 worth of photography equipment set up in your garage. Etc. – Stephan Branczyk Oct 19 '17 at 04:27
1

@StephanBranczyk that makes a better case than the Snowden quote. – NH. Oct 19 '17 at 20:24
3

The problem with the Snowden quote is that it kinda, well, backfires (pun intended): "I don't care about the right to bear arms because I have no one I want to kill" would certainly fly in my book. – user541686 Oct 19 '17 at 22:02
In Belgium at the moment there is a law going around that keeping the national ID in databases is illegal unless we actually use them for something. And too use it as an unique identifier is not allowed. – Lyrion Oct 20 '17 at 12:05
@Lyrion, surely it is already illegal to store people's national ID numbers in databases if they're not being used, under the Belgian implementation of the EU Data Protection Directive 95/46/EC? – Peter Taylor Oct 23 '17 at 14:22
I would never rely on the law to protect my privacy. Those who violate my privacy often don't know or don't care about the law. Those who are supposed to enforce the law rarely have the resources or the technical understanding to stop them. Those who are supposed to keep the laws up-to-date with technical developments get all their advise from industry lobbyists who care only about economical interests. – Philipp Oct 23 '17 at 14:26
@Blackhawk Such a system (if it were well-designed) would not use passwords for the individual services. Instead, access would be granted through an access token issued by the central authority, that is specific for the service being accessed. A leak would (ideally) not reveal anything of value outside of data for that service. – nitro2k01 Oct 24 '17 at 12:18

score 84 · Answer 2 · 2017-10-16T18:16:45.573

84

You can't:

have multiple, separate accounts (e.g. separate professional and personal accounts, or a separate parody account)
have a truly anonymous account
have an account if you're a stateless person, or from a country that doesn't have a national ID, or too young or otherwise ineligible to have a national ID
allow the national ID scheme(s) to ever change (or re-issue numbers)

edited Oct 16 '17 at 18:16

answered Oct 16 '17 at 18:08

1

The wonderful euphemism "parody account" deserves a "parodical" up :-) – peterh Oct 17 '17 at 15:45
34

@peterh Euphemism? Parody accounts (at least on sites like Twitter and Reddit that don't try to enforce the one-user, one-account policy) are exactly that. Here's an example (warning: language): https://twitter.com/nihilist_arbys?lang=en – Kyle Strand Oct 17 '17 at 16:05
3

Dear God, why won't someone think of the sock puppets! ;) +1 – Steve-O Oct 20 '17 at 17:28
2

To add to that: you can't guarantee that national IDs are unique across the globe. – physicalattraction Oct 24 '17 at 06:15

score 56 · Answer 3 · answered Oct 16 '17 at 22:06

56

In some countries, it is simply forbidden to use the most important unique IDs in other databases than those for which it was originally meant for. For example, you would get an ID for the state-run health insurance system, which the tax office is not allowed to use and vice versa. All this to ensure privacy and make it more difficult to cross-reference databases with personal information.

In fact, EU requirements regarding personal information are getting stricter and all the companies you mentioned already have trouble ensuring compliance with their current approach. That alone is reason enough to avoid national ID numbers like the plague.

answered Oct 16 '17 at 22:06

Relaxed

1,739
13
10

26

Indeed, it is worth pointing out that the UK Data Protection Registrar (now known as the Information Commissioner) issued guidance that using the UK's national insurance number as a unique identifier for any application where it isn't strictly necessary to collect it would be considered a violation of the legally-mandated principle that "[p]ersonal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed." And this was based on the 1984 version of the Data Protection Act. It's much stricter today. – Jules Oct 17 '17 at 06:38
1

That's a big point, and the reason is that the most dangerous thing for individual freedom is crossing different databases. That's the French Loi informatique et liberté (information and freedom law) concern and that's the rationale behind EU regulation. – Serge Ballesta Oct 17 '17 at 09:06
2

@Jules I feel a newfound warmth towards to Information Commissioner! – owjburnham Oct 19 '17 at 13:55
2
The people who decided to amend that Act really liked their irony.

Hashim Aziz

Oct 23 '17 at 01:54

@Jules that's preventing the site from collecting it, but it's not preventing the user from offering it. It becomes 'relevant' when you offer it as your user id. – UKMonkey Oct 23 '17 at 17:57

@UKMonkey You are allowed to use whatever you like as your username. You can use your NIN as it if you want, and nobody is in trouble. They get in trouble when, instead of giving you a Username box they give you a box which requires you enter your NIN. – Tim Oct 24 '17 at 00:40

@Tim - correct, that's what I said. – UKMonkey Oct 24 '17 at 08:24

score 21 · Answer 4 · answered Oct 16 '17 at 18:01

21

As well as security, there are also colossal privacy concerns. You probably don’t want Facebook and Pornhub to be able to compare notes and link your Pornhub account to your Facebook account. And of course, someone might want to create two different accounts, but they’ve only got one ID.

answered Oct 16 '17 at 18:01

Mike Scott

10,294
1
29
36

What if it's my university's username? Why not using my national code as the university's username? – Arman Malekzadeh Oct 16 '17 at 18:02
22

@ArmanMalekzadeh Maybe you’re a foreign student and don’t yet have a national ID. Maybe you’re a system administrator and need an unprivileged user account for test purposes as well as your admin account. Maybe the university doesn’t want the secret police to be able to easily see what their staff and students have been doing. And so on and so forth. – Mike Scott Oct 16 '17 at 18:14
7

@MikeScott That comment should really go in the answer. – user Oct 16 '17 at 18:34
10

You don't need linkage via a national ID for your privacy to be shot to hell. Plain old ML and face recognition will do that for you. Facebook links your sex worker profile to your "civilian" one, and PronHub's identifying actors could be a problem for "amateur" sex actors, links via Bruce Schneier. – Stephan Kolassa Oct 16 '17 at 20:29
3

Maybe you’re a foreign student and don’t yet have a national ID or you have one from home but it's the wrong format (like postcodes, vehicle registrations) – Chris H Oct 17 '17 at 15:57
2

@StephanKolassa Your comment sems rather easy to misread as "amateur" sex actors, like* Bruce Schneier. * which rather changes the meaning! – Chris H Oct 17 '17 at 15:58
2

@StephanKolassa Just because someone can kill you with a knife doesn't mean you should hand him a gun ;) – Frank Hopkins Oct 18 '17 at 16:04
Now I want to see a case where someone wears these and someone jumps the gun and publishes that was a sex worker when surprise! It was just some funky glasses. – Wayne Werner Oct 23 '17 at 19:29
@MikeScott The rest of your objections are, of course, valid but there's no reason that an admin couldn't have an unprivileged test account with a username that isn't a national ID. – David Richerby Oct 24 '17 at 11:36

JimmyJames · Answer 5 · 2017-10-17T16:09:15.573

Actually we have a very pertinent case in point as to why this is not a good idea. In the US, we have long had a system of credit reporting that is based on national Id. The (absurd) presumption was that if you know the national Id of some person and their name, birthdate etc., you must be that person. The problem with this is that finding out the the national Id of someone is becoming increasingly trivial. The result is that people are regularly impersonating others for illicit gains. The problems for the actual owner of that Id can be really big.

This idea that you are proposing would actually contribute even more to this issue but that's not really the point I am making here. Changing your national Id is very difficult in most (all?) countries. Once someone has this information, it's useful for a long period of time and victims of this struggle for decades to deal with all the constant problems such as debt collection agencies calling them at work or terrorizing their families. I recently heard about a woman who's national ID was stolen and used by another woman who was going to prison.

The problems with this kind of system are very much like the use of biometrics. If my fingerprint is my Id and someone can reproduce it, then everything I touch is potentially giving away my identity to a thief. People can even get it off a photo as in the link above. If anything, we need to get away from the use of such unchangeable Ids.

Also see Your Unhashable Fingerprints Secure Nothing, which is quite relevant. — Wildcard, Oct 17 '17 at 02:40

score 7 · Answer 6 · edited Oct 18 '17 at 14:13

Their are numerous reasons this is a bad idea. Here are a few off the top of my head.

If we all had the same username for every service, there now exists a DB of all usernames (which will be leaked, or compiled eventually). I now only need to worry about getting your password. This creates the greatest username enumeration DB ever created.
I can sign up to any number of services with your userid. Some services might use email verification and some won't.
The more unique pieces of information I have about you, the easier ID theft is. I could combine the service signs up to create a whole other digital you based on your global ID.
It would be the best ad tracking ID ever created. You could link all account/internet usage together to create a super ad profile.

score 7 · Answer 7 · answered Oct 17 '17 at 16:16

Other answers cover the concerns over privacy, authentication, and availability very well, but there's another, more pragmatic problem with this approach: It's simply too hard to implement from a technical perspective.

National IDs from different countries frequently overlap with each other. There will be huge numbers of collisions, where two people from different countries have the exact same number. Example: The US SSN is a 9 digit number. The Canadian Social Insurance Number is also a 9 digit number. The Canada SIN includes a check digit, but even so the number of possible collisions is still in the millions.

To avoid this, people would need to specify both the national ID number AND the country. But how do people present this information?

Do you have two separate fields, one for the country, and one for the ID? If so, you've just greatly complicated the database and software requirements for everyone in the world.
Do you have one field where you merge two values together?
If so, How do you represent the country? (ISO alpha code? ISO Numeric code?
Something else?)
How do you concatenate the values? Country first, then ID? Is there a delimiter? If so, what is it?
How do you handle the fact that the same ID can be represented with different formats? Some numbers use hyphens or dots, some use spaces, etc.
What happens when a country is taken over by another country, or a country splits into two?
What happens when people move from one country to another or change citizenship?
Who is going to manage all of this complexity? Who pays for that management?
How do you handle countries that maintain multiple types of IDs, social insurance numbers, voter ID numbers, tax IDs, etc?
What happens when a country changes its national ID system? (this is happening quite frequently in recent years)
Who is going to manage all this complexity? How do you enforce the rules?

Regardless of any other concerns, this solution is self-defeating, as it does not simplify anything, it adds lots of complexity.

"Standards are wonderful. There are so many to choose from!" — Shadur-don't-feed-the-AI, Oct 19 '17 at 16:48

score 3 · Answer 8 · answered Oct 17 '17 at 10:51

3

Case Study: Norway.

Norway has national ID numbers. And we use them for everything.

On the bright side, it makes everything easy. I don't have to do tax returns because the tax office knows everything anyway. Whenever I talk to some government office, I give them the ID number and they automatically know my name, address, age and everything else, without typing errors. Same with banks, insurance companies and other "worthy" businesses. (Not sure how they qualify as "worthy", but there are a lot of them)

Even "unworthy" businesses know the ID numbers of their employees to report their income to the tax office.

My apartment complex management knows my ID number. I am sure they report it to some government office or another.

In theory ID numbers are secret, in practice they are not. They are everywhere, how could they be secret?

The banks have cooperated to create a system for authentication for on-line banking. This uses a combination of a dongle creating one-time passwords and a remembered password.

The government has bought into this system so we use the same dongle/password for government websites too.

We have strict laws about how databases containing these numbers should be treated. Judging by newspaper headlines, these laws are often broken in small ways but rarely in large ways.

Privacy is broken often, but it is rarely important data. Customer data bases and such. I am sure marketing people are drooling over these data, but I won't loose any sleep over it.

I know others will disagree.

Important data, like medical records, are actually guarded pretty competently. The downside of that is that different hospitals and such have problems exchanging data.

Identity theft is rare, again judging by newspaper headlines. I suspect that this is because Norway is so transparent that the thief will have problems hiding after the identity theft is discovered.

answered Oct 17 '17 at 10:51

Stig Hemmer

2,433
11
14

1

"In theory ID numbers are secret" Is that so in Norway? In Sweden they are public - just walk into a tax office and ask and they will be happy to give you the ID for anyone. – Anders Oct 17 '17 at 11:37
1

@Anders Are you sure? – gerrit Oct 17 '17 at 14:19
@gerrit I am sure for Sweden. Maybe there is an exception for people with "protected identity", but for people in general you can just get their personal ID number by contacting any tax office. – Anders Oct 17 '17 at 14:23
Chile is similar - the ID number called RUT (Rol Único Tributario) is used for essentially everything from legal contracts to tax to online shopping to student email, to Nectar points, etc. In contrast to Norway the RUT numbers themselves are public knowledge and are handed out in order, so that (excluding immigrants) someone with the RUT 20.000.000-1 will be older than someone with 23.000.000-1 – stuart10 Oct 17 '17 at 14:24
1

@Anders I used to live in Sweden, and I've certainly found people protective (but not hyper-protective) over their personnummer, with leaks making the news. – gerrit Oct 17 '17 at 14:31
1

@Anders Wait. You can walk into a tax office and get anyone's ID number or just your own? Which is to say, if I want to get your number, do I have to impersonate you (which is risky, likely to be illegal and may require me to know quite a lot about you) or can I just go in and say, "Hi, I'm David. What's Anders's number?" – David Richerby Oct 18 '17 at 08:00
2

I just looked this up on Norwegian and Swedish Wikipedia, and this is different in Sweden and Norway. In Sweden these numbers are public information, In Norway, they are supposedly secret. I think Sweden has the right of it, keeping these secret is simply too hard. – Stig Hemmer Oct 18 '17 at 08:04
2

@DavidRicherby No, no need to lie. Just say "I'd like the ID number of Stefan Löven, please." and they will happily give you the ID of the prime minister. Besides, it's just a function of your date of birth, gender, place of birth plus a counter so theres very little entropy in it anyway. Keeping it secret is absolutely pointless. – Anders Oct 18 '17 at 08:08
@DavidRicherby No need to walk into an office. Just call them on the phone. No need to give your own name, or any reason for your request; a full name and street address for anyone (so they can find the person in question) will get you anyone's ID number. Lots of people don't seem to realize that this is the case. – user Oct 19 '17 at 15:27
@MichaelKjörling OK, but whether it has to be done in person, on the phone, by email, by letter, by fax or whatever wasn't really the significant part of my question. – David Richerby Oct 19 '17 at 15:32
1

And we use them for everything. That is not true. It is used for things like banks, insurance, tax office, hospitals, drivers licence - sure. But absolutely not "everything". – hlovdal Oct 20 '17 at 21:21

gerrit · Answer 9 · 2017-10-17T17:46:17.920

1

In Sweden, I am registered to some websites that actually do this. For example, to register in the housing queue in various cities, I login with my Swedish national ID (the password is local). The housing office needs to know my national ID anyway, so one might as well use it as a login. Of course, database breaches can be a source of worry, but that is true for any database containing the national ID, whether or not it is used for logging in or not.

Other answers have addressed why this is undesirable and unfeasible to apply universally.

edited Oct 17 '17 at 17:46

answered Oct 17 '17 at 10:57

gerrit

1,920
1
19
26

Privacy considerations aside, wouldn't you worry if you had to use the same password for all those services? Your password is then only as secure as the least secure government office you used it in... and if they are cracked, the thieves have a guaranteed list of sites to use it on. – Michael come lately Oct 17 '17 at 15:30
2

@Michael The question asked national ID as username. In my interpretation, we can still have different passwords. To answer your question: yes, I would be worried about that if not only the username, but the entire account was shared. – gerrit Oct 17 '17 at 16:29
Okay. I was confused by the sentence where you said "I login with my Swedish national ID and password" and misunderstood the ID to be tied to that password. Thanks for clarifying. – Michael come lately Oct 17 '17 at 17:17
So what happens if someone with a grudge against you signs up with your national ID to some housing before you can? Seems like a grouchy ex could easily inconvenience you a great deal, no? – Voo Oct 19 '17 at 19:02
@Voo I don't know. – gerrit Oct 19 '17 at 22:54

score 1 · Answer 10 · edited Jun 16 '20 at 09:49

How well does it work?

One reason would be that universal IDs are not really suited to the task. They do not have a consistent form, and depending on how they're generated, they are all more or less user-unfriendly. They're not necessarily globally unique either (it would require an immense amount of coordination to achieve that).

Some countries might not have universal IDs at all, I bet there's not few countries where it isn't even exactly known how many people exist or who they are. Most certainly, there exist hundreds of millions of people (probably more) who do not have any such thing as an ID card, a social security number, or a birth certificate. They probably don't have much internet access either, but should we in principle deny them using websites because they lack an ID number?

The number on my ID card is 10 alphanumeric characters, and my universal ID on the backside of the ID card is date of birth reversed, plus one digit, plus 7 seemingly random digits, and a letter.
Surely fatlover69 and luckyguy777 are way easier to remember as usernames than M7NTU3C2H5, or 6805097<8614257D, are they not?

What do I do if I ever want a second account, or I wish to abandon an account and replace it with another? Maybe I lost the password and can't access the recovery mail address, maybe the account was hijacked, or something different.
Well, do not despair, that's easy: You only need to get another unique ID. Oh, wait...

Do you trust every website?

Another, even more important reason is you likely wouldn't want some random website to know your ID at all. It's the same thing as with biometry. Or, to a lesser extent, with email addresses and phone numbers. Your phone number is one of the first thing everybody, not just websites, wants to know. Buy a table at a furniture center, and they want to know your phone number. When you tell them "Well,... no. I don't want you to call me", they seem offended¹.
Now, the thing is, in the worst case you can always easily change your mail address and phone number. Changing who you are and what you are is troublesome. Plus, ID numbers contain check digits and are verifiable, so giving a website (which won't accept a "No") a fake number probably won't work well.

Websites, and the companies behind them, are generally (with very, very few exceptions) not trustworthy. In fact, this very website (Stackoverflow to be precise) proved its unworthyness only yesterday by sending me unsolicited job offer spam under the false premise that I opted in to receive these. Sure, not much harm done in this case. But do you really trust every random website enough to give them your identification which is many orders of magnitude more sensitive than a throwaway Google address? Really?

It's not long since you only needed a name (presumably someone else's name) to rent a parcel deposit box. Welcome to the world of online fraud. Loot is sent to the victim's name, to the victim's deposit box. Only just... they have no idea they own that box at all, and they didn't order anything.
Meanwhile, you need a name and the matching identification number. I'm not sure why you still don't have to physically present an ID, but whatever.

Do you really want to tell some random website that number?

Did you think it to the end?

Universal IDs are generally a problem, more than one might think. Many of us are concerned about Facebook and Google storing a cookie and placing beacons on websites. But what if you told them your universal ID?

I remember working in a Swedish hospital around 20 years ago where you could access every person's medical record (and other personal data) by entering their unique code in a computer which, of course, didn't require a password or anything. Their unique code, that was their date of birth backwards, plus a 2-digit sequence number (or something very similar).
Also, there was a database (again without password) where you could match names, partial addresses, and age ranges to find out the number in case you didn't know and in case the patient could maybe not answer. Which is no problem because, obviously, we're all professionals, and nobody would ever use this data for anything but what's intended.

My initial thought was: "Woah, we are so retarded, still using paper -- the Swedes are so fucking cool. Compared to them, we live in the middle ages".
On a second thought, I was much less extatic with the idea. Why, it's a great thing, is it not? And you have nothing to hide. Plus, it's only ever beneficial.

Yes, except... if you knew this girl's name was Inga² and you didn't even know her last name, but you guessed she was approximately 22-24 years old and lived in this town, then, well, you could within seconds look up whether she had a history of genital herpes before going on a date!
Not that I would ever do such a thing, nor can I confirm or deny knowledge of any circumstances under which other individual people have or might have done or recommended said or similar thing, even on a hypothetical base.

Data, and the ability to link data to people is a very, very dangerous thing, it should be avoided at all cost if you can help it. You should never let it happen voluntarily, without urgent need, and without consideration.

^{1 "Oh, I cannot afford a cellphone" works much better, it also limits the amount of extra stuff they're trying to sell to you.}
^{2 Name changed to protect the innocent. Any resemblance to real persons, living or dead, is purely coincidental.}

score 0 · Answer 11 · answered Oct 17 '17 at 06:24

While there are many reasons that this isn't a good enough idea, it's irrelevant as there are many ways to do the same thing. In most cases, people also don't share email addresses, OpenIDs and phone numbers. And they are more standardized across countries. Why not use them instead?

Well, for the university username, they would assume some students would change emails and phone numbers more often than the university. But at least they still have the option to reserve the phone number and email address usernames for the users opted into it.

On the other hand, theoretically a government could set up a system that makes people logging into websites using something equivalent to national IDs, and change all the related processes to make stealing merely an ID number useless. They could also make a new protocol so that this works the same for all countries. And most of the problems pointed in other answers could be solved in some ways. But it is not done. And as emails and phone numbers already solved the problem, there is no incentive to actually do this.

score -1 · Answer 12 · answered Oct 24 '17 at 08:32

One more important point:

Market forces. Until 5-10 years ago, almost everyone with a new website wanted you to create a new login and password just for their site. It's simple to do (especially so if you don't bother about protecting the password database), and free of dependencies. Even today, there are still many who want to use this approach.

To counteract these market forces, you'd need government regulations. The result of which would be that new businesses would set up their servers in any country that isn't yours, unless you also introduce severe restrictions on the internet (hello there, China). Internationally standardized regulation on userprofiles seems unlikely, seeing the vastly different political requirements of the US and EU alone ("all power to businesses" vs "privacy privacy privacy"), and impossible if we also consider some Middle Eastern and Asian countries.

Stig Hemmer's answer highlights that your suggestion is indeed possible but only on a national level for already regulated industries.

score -4 · Answer 13 · answered Oct 17 '17 at 17:26

-4

There is something "close" to what you propose -- it's called OAuth2 - where a third-party system performs user authentication and supplies a pre-authenticated token to subscribing web sites -- the example use case even works here on StackExchange -- when you "Log in using Facebook" or Google, or whatever, you are using a federated system, which is about as close as you can get to having a world-wide single-sign on...

answered Oct 17 '17 at 17:26

Greg Patnude

1

4

I don't think this really addresses the question, which is about why one wouldn't do such a thing. – David Z Oct 17 '17 at 17:27
1

and other answers have mentioned OAuth – schroeder Oct 17 '17 at 18:03

Why not use a national ID as username for every website?

13 Answers13

Case Study: Norway.

How well does it work?

Do you trust every website?

Did you think it to the end?