I agree. Using a Social Security number as a user identifier is never a good idea, but there may be a valid need to collect this information as part of the transaction-verification process for trades. I hope the company vetted the need for this information vs. the risk of using it.
But per your question, the Electronic Frontier Foundation (EFF) has an excellent white paper for Online Service Providers (OSPs) who "provide links between their users and the Internet, offering bandwidth, email, Web and other Internet services." It contains information that any organization looking to provide Internet-facing applications should read.
For more information:
- Read more about how to determine password strength for a website in this expert response.
- Learn about identity lifecycle management for security and compliance in this Security School lesson.
Dig Deeper on Privileged access management
Related Q&A from Randall Gamby
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading
Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most... Continue Reading
A self-managed HSM appliance may be the safer external key management system to use with your organization's encryption keys. Here's why. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.