The Social Security Administration recently announced that beginning June 10, two-factor authentication will be required for all account holders logging into the “My Social Security” portal.
To comply with this new rule, account holders will be required to provide their username and password, and either their cell phone number or email address as the second identification method. After providing their cell phone or email address, the account holder will be sent a time-sensitive passcode to authenticate his or her identity.
This is the Social Security Administration’s second attempt at implementing two-factor authentication. In 2014, an Obama administration executive order mandated improved security for consumers regarding financial transactions, and remediation for victims of identity theft. Based on this executive order, in July 2016, the Social Security Administration announced the requirement of two-factor authentication for the account holder portal through the transmission of one-time passcodes via SMS text messages to the account holder’s cell phone. This method was widely criticized because many of the account holders were senior citizens who did not have access to a cell phone and therefore lacked the ability to use two-factor authentication for their account.
This renewed two-factor authentication method will be less secure than the Social Security Administration’s first attempt, but arguably more user-friendly, as account holders may now receive an authentication code via a cell phone or email address. The problem with this implementation is that individuals routinely utilize the same password across online accounts. Therefore, if an individual’s email credentials are compromised, an unauthorized user may also be able to access the Social Security site. Account holders can mitigate the chance of their Social Security credentials being used to compromise their email address by having different and unique passwords for these different portals.
By implementing this two-factor authentication method, the Social Security Administration is following the regulatory trend of requiring multifactor authentication. For example, in the California Attorney General’s 2016 California Data Breach Report, available here, multifactor authentication is considered a minimum security requirement for consumer-facing online accounts with sensitive personal information. Additionally, as of March 1, 2017, the New York Department of Financial Services requires covered entities to have a minimum of two-factor authentication, as detailed here.
This renewed effort for two-factor authentication demonstrates the Social Security Administration’s attention to the security of the growing number of senior adults who use their accounts for services such as checking their benefits, changing direct deposits and modifying their account information.
The Social Security Administration’s announcement is available here.