Gas station without pumps

2016 July 29

Two-factor authentication done wrong

Filed under: Uncategorized — gasstationwithoutpumps @ 08:53
Tags: , ,

The Social Security Administration has decided to add two-factor authentication to the myssa.gov website, where you can check the status of your Social Security account. They’ve picked a fairly standard way to do it:

When you sign in at ssa.gov/myaccount with your username and password, we will ask you to add your text-enabled cell phone number.  The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account.

Each time you sign into your account, you will complete two steps:

  • Step 1:  Enter your username and password.
  • Step 2:  Enter the security code we text to your cell phone (cell phone provider’s text message and data rates may apply).

Unfortunately, unlike almost all other two-factor systems, they provided no opt-out:

If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account. 

Given that the people most interested in using myssa.gov are also the people with the lowest probability of having text-enabled cell phones, this seems extremely short-sighted.  According to a study by the Pew Research Center, only about 30% of adults over 65 have a smartphone and only 78% have a cellphone of any sort.  It seems really weird to insist that 22% (or more—some cell phones have no text capability and some older adults can’t use the text capability of their phones) of the adults over 65 won’t be allowed to access their Social Security accounts by computer.

I’ll probably have to deactivate the online account when they turn on the mandatory two-factor authentication next month.  Of course, given that they’ve not provided any opt-out, they probably won’t let me deactivate the account  without a cell phone. With any luck, though, they’ll realize (eventually) that they made a bone-headed decision and allow those of us without cell phones some other way to access ssa.gov.

Update 2016 Sept 1: The Social Security Administration admitted they made a mistake and have removed the mandatory two-factor identification.  It is still available and highly recommended, but no longer required.

1 Comment »

  1. Impeccable timing. NIST just announced draft recommendations against using SMS for two-factor authentication. There are many news sources for this; here’s one: https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/

    Comment by Michael K Johnson — 2016 July 29 @ 18:30 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: