Keep your data close and your Social Security number closer.

The massive hack at Capital One COF, +1.85% announced late Wednesday resulted in the loss of a wide array of information, including credit scores and balances, zip codes, email addresses, dates of birth, among other details, plus the Social Security numbers of about 140,000 customers and 80,000 bank-account numbers from credit-card customers. The hack affected about 100 million people in the U.S. and 6 million in Canada.

Social Security numbers are among the worst piece of personal data to have hacked for one reason: They cannot be changed.

There’s good news, however. The Social Security numbers and account numbers were tokenized, so that information should be safe from any potential bad actors, according to Capital One. “Those numbers were replaced by unique ’tokens’ that can’t be used by anyone except Capital One,” Paul Bischoff, privacy advocate with Comparitech. “The real numbers were stored elsewhere.”

Also see: 100 million Capital One customers were hacked — everything you need to know about data breaches, but were afraid to ask

After Equifax agreed to a data-breach settlement with the Federal Trade Commission this month and agreed out at least $650 million in restitution to consumers and government fines, the FTC also ordered the company to look into alternatives to Social Security as a form of identification. That settlement came after a 2017 security breach that exposed the personal data of more than 146 million people.

These hacks do raise a timely question: Are there any viable alternatives to Social Security numbers to verify the identity of consumers?

There are other options, some more than two decades old

One security feature that could replace the Social Security number in identifying individuals when applying for bank accounts or credit cards is Voice ID. “It’s a print of your voice,” Neal O’Farrell, executive director of The Identity Theft Council, told MarketWatch. “When you want to verify yourself to apply for a loan, the bank will send you, say, six new numbers and you repeat those numbers with your voice.” This technology has been available for the past 25 years.

Newer methods of identification include biometrics. An individual’s iris or your thumbprint could serve as a form of ID. But the problem with using that alone is that “a thumbprint could be compromised,” O’Farrell told MarketWatch, because thieves or hackers can copy it.

He thinks of the future of verification is in “real-time” personal information. “A bank could ask what was the last number you called on this phone or what was the last purchase you made.” This information would be hard for thieves to use because it’s constantly changing.

Don’t miss:Consumers could get up to $20,000 apiece in Equifax settlement — how to get your share

Other potential identification methods include your phone or laptop’s IP addresses and even a blockchain-created digital ID.

Banks and other financial institutions could also look to the Department of Motor Vehicles for better methods of identity verification, Robert Siciliano, a privacy expert and the founder and CEO of Safr.me, told MarketWatch.

The Real ID Act, passed in 2005, changed security standards for state driver’s licenses. Beginning in October 2020, individuals will need a “Real ID” driver’s license — or a passport — to board a domestic flight.

“Registries of motor vehicles have been setting up verification methods for at least a decade,” Siciliano said. “They set the standard. It’s really hard to get a driver’s license in someone else’s name.” To obtain a driver’s license, one needs to present multiple pieces of identifying information.

“I don’t think there’s a problem with the continued use of the Social Security number. It just needs to be used with a lot of other methods like at a registry of motor vehicles,” Siciliano said.

Even a heartbeat can be an identifier

With new methods of identification come new privacy concerns for consumers. At least one company is working on technology that will be able to identify a specific individual’s heartbeat and turn that information into a unique identifier, O’Farrell said.

But not everyone may want to give their heartbeat to their bank, and for good reason. “Consumers are skeptical about giving away any information,” O’Farrell told MarketWatch. “In this case, they may be afraid the heartbeat will be sold to an insurance company, which could find something wrong with you and use it against you.”

Still, he believes consumers will get on board with a new method if they believe their data won’t be breached.

Your Social Security number was never meant to be your ID

The U.S. Social Security Administration began issuing Social Security numbers in the 1930s “for the sole purpose of tracking the earnings histories of U.S. workers,” according to the Administration. The earnings histories, in turn, help the agency determine “benefit entitlement and benefit levels.”

“The Social Security number was never meant to be a secret identifier,” O’Farrell said. In fact, until 1972, Social Security cards had the words “not for identification” written on them.

“But the financial industry hijacked it,” O’Farrell said. In the 60s and 70s, banks started using Social Security numbers to grant credit, and other companies followed suit, deciding to use the nine digits as a form of identification.

Your Social Security Number has already been exposed

“Today, your name acts as your user name, and your Social Security number acts as your password,” Siciliano said. Over 95% of major credit card companies and 80% of the top 25 banks allow people to access accounts if they can provide the correct Social Security number, a 2014 study by Javelin Strategy & Research found. “The problem is that everyone knows your password,” Siciliano said.

Besides the Capital One hack and the Equifax breach that leaked the personal information of nearly half the people living in America, there have been countless other breaches in the past two decades that have exposed personal data. Hotel chain Marriott MAR, +1.79% , big-box retailer Target TGT, +1.54% , and the early internet search engine Yahoo! US:AABA are among the companies that have suffered breaches in the past several years. An estimated 1,300 data breaches occurred in 2017, up from 200 in 2005, according to the Identity Theft Resource Center.

“If you count the number of breaches, your Social Security [number] is already out there. It’s not a secret,” O’Farrell said.

Why are Social Security numbers still being used as identifying information?

Credit reporting agencies like Equifax EFX, +2.94% use a variety of information to verify their customers’ identities, including an address, name, date of birth, and Social Security number. (Equifax did not respond to a request for comment on the company’s plans to limit the use of Social Security numbers.)

Part of the reason financial institutions are still using Social Security numbers to identify individuals is that a switch to a different system would come with a hefty price tag, O’Farrell said. But another reason is that these “institutions don’t know which way to jump. They don’t know what new system will be best” for verifying identity.

A White House proposal

Rob Joyce, a former cybersecurity coordinator in the White House who has now gone back to the National Security Agency, recently said the White House was looking into new methods of identifying consumers. The Social Security number “has outlived its usefulness,” Joyce said in 2017.

“I personally know my Social Security number has been compromised at least four times in my lifetime,” he said. “That’s just untenable.” The current status of that proposal is unclear. The White House eliminated Joyce’s position in 2018. The National Security Council did not respond immediately to a request for comment.

(This story was updated on July 30, 2019.)