SSA MANDATORY cell phone based multifactor authentication [now RESCINDED]

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
User avatar
mrc
Posts: 1197
Joined: Sun Jan 10, 2016 6:39 am

SSA MANDATORY cell phone based multifactor authentication [now RESCINDED]

Post by mrc » Thu Jul 28, 2016 12:15 pm

UPDATE: The SSA has rescinded this policy as ResearchMed notes:
ResearchMed wrote:Social Security has dropped the recent requirement that a cell phone/text message would be required for security purposes.

http://www.investmentnews.com/article/2 ... sit=405045

Apparently, "“Our aggressive implementation inconvenienced or restricted access to some of our account holders,” Social Security press office spokesperson Dorothy Clark said via email".

RM

I am all for tight security. But I just received this notice from the SSA (emphasis added). Short notice, and denial of online access without a text-capable device.
Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user. This new requirement is the result of an executive order for federal agencies to provide more secure authentication for their online services. Any agency that provides online access to a customer’s personal information must use multifactor authentication.

When you sign in at ssa.gov/myaccount with your username and password, we will ask you to add your text-enabled cell phone number. The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account.

Each time you sign into your account, you will complete two steps:

Step 1: Enter your username and password.
Step 2: Enter the security code we text to your cell phone (cell phone provider's text message and data rates may apply).

The process of using a one-time security code in addition to a username and password is one form of “multifactor authentication,” which means we are using more than one method to make sure you are the actual owner of your account.

If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account.

If you are unable or choose not to use my Social Security, there are other ways you can contact us. To learn more, please review the Frequently Asked Questions found here.
Last edited by mrc on Tue Aug 16, 2016 9:13 am, edited 2 times in total.
If it’s not long term it’s small talk

123
Posts: 3711
Joined: Fri Oct 12, 2012 3:55 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by 123 » Thu Jul 28, 2016 12:42 pm

This sounds like the good basis for a complaint through a local congressperson or senator. Technology exists to route the multifactor authentication code number through email or to send it via a vocal message to a landline number. They could even mail a list of multifactor authentication numbers through the snail mail system for future use.
The closest helping hand is at the end of your own arm.

adamthesmythe
Posts: 2272
Joined: Mon Sep 22, 2014 4:47 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by adamthesmythe » Thu Jul 28, 2016 12:59 pm

Ironic in that two-factor identification is now deprecated

http://www.infoworld.com/article/310068 ... ation.html

User avatar
cfs
Posts: 4154
Joined: Fri Feb 23, 2007 1:22 am
Location: ~ Mi Propio Camino ~

Re: SSA MANDATORY cell phone based multifactor authentication

Post by cfs » Thu Jul 28, 2016 1:19 pm

ALL ENGINES STOP

Did you go to the actual Social Security Website [no, not via the link provided on any bogus email] to verify this information?

Thanks for reading.
~ Member of the Active Retired Force since 2014 ~

User avatar
HueyLD
Posts: 6057
Joined: Mon Jan 14, 2008 10:30 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by HueyLD » Thu Jul 28, 2016 1:30 pm

I just signed into my SSA account and no such a question was asked.

User avatar
JDCarpenter
Posts: 1389
Joined: Tue Sep 09, 2014 2:42 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by JDCarpenter » Thu Jul 28, 2016 1:36 pm

Looks like they are indeed going to implement this. From the May 16, 2016, statement of acting commissioner Carolyn W. Colvin to the House Oversight Committee:
Additionally, to protect citizens’ personally identifiable information further, we continue to improve authentication for our online services. In compliance with Executive Order 13681 (“Improving the Security of Consumer Financial Transactions”), we are changing our current multifactor authentication process for my Social Security from optional to mandatory for all users. Upon implementation this summer, all customers must enter a username, password, and a one-time passcode texted to a registered cell phone in order to access their my Social Security account. In the future, we expect to offer additional multi-factor options, pursuant to Federal guidelines. The National Institute of Standards of Technology is working on a revised guideline, and we are providing input into that process.
https://www.ssa.gov/legislation/testimony_052616.html

Edited to Add: BUT, the infoworld link provided above by adamthesmythe indicates that NIST axed its endorsement of SMS two-factor yesterday. Maybe that will give SSA pause?
Last edited by JDCarpenter on Thu Jul 28, 2016 1:39 pm, edited 2 times in total.
Edit Signature

User avatar
BolderBoy
Posts: 4046
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: SSA MANDATORY cell phone based multifactor authentication

Post by BolderBoy » Thu Jul 28, 2016 1:38 pm

HueyLD wrote:I just signed into my SSA account and no such a question was asked.
Likewise, I just logged in and LOOKED for some sort of warning that this is coming.

Nada.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect

Ron
Posts: 6361
Joined: Fri Feb 23, 2007 7:46 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Ron » Thu Jul 28, 2016 1:42 pm

HueyLD wrote:I just signed into my SSA account and no such a question was asked.
If you go under tab "Security Settings", you will see this as an available option already (Add Extra Security).

As you said, there is no message (yet) on the main mySocialSecurity site, but again the OP stated it will be required shortly.

- Ron

Spirit Rider
Posts: 8681
Joined: Fri Mar 02, 2007 2:39 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Spirit Rider » Thu Jul 28, 2016 2:03 pm

HueyLD wrote:I just signed into my SSA account and no such a question was asked.
Maybe because this was the first sentence of the quoted text.

"Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user."

User avatar
HueyLD
Posts: 6057
Joined: Mon Jan 14, 2008 10:30 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by HueyLD » Thu Jul 28, 2016 2:05 pm

Spirit Rider wrote:
HueyLD wrote:I just signed into my SSA account and no such a question was asked.
Maybe because this was the first sentence of the quoted text.

"Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user."
Duh....

Texanbybirth
Posts: 952
Joined: Tue Apr 14, 2015 12:07 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Texanbybirth » Thu Jul 28, 2016 2:23 pm

My account is already like that. I just tried, and I had to do two-factor authentication to get in. Maybe they're testing it on us young folk first to make sure there aren't any kinks. 8-)

User avatar
SpringMan
Posts: 5360
Joined: Wed Mar 21, 2007 11:32 am
Location: Michigan

Re: SSA MANDATORY cell phone based multifactor authentication

Post by SpringMan » Thu Jul 28, 2016 2:33 pm

Interesting yet Medicare cards are still using SS numbers though I have heard a change to that is coming.
Best Wishes, SpringMan

User avatar
HueyLD
Posts: 6057
Joined: Mon Jan 14, 2008 10:30 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by HueyLD » Thu Jul 28, 2016 2:38 pm

Texanbybirth wrote:My account is already like that. I just tried, and I had to do two-factor authentication to get in. Maybe they're testing it on us young folk first to make sure there aren't any kinks. 8-)
Not SS age yet, but the SSA decided not to let me add extra security.

I attempted to add extra security twice, but received an error message every time as follows:

"We cannot upgrade your account at this moment. For further assistance, please contact us."

User avatar
mrc
Posts: 1197
Joined: Sun Jan 10, 2016 6:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc » Thu Jul 28, 2016 2:51 pm

cfs wrote:ALL ENGINES STOP

Did you go to the actual Social Security Website [no, not via the link provided on any bogus email] to verify this information?

Thanks for reading.
I wish it weren't true, but I checked the mail headers before I posted (it's from messages@subscriptions.ssa.gov) and there is only one clickable link: https://www.ssa.gov/myaccount/ in the message. I don't see how this can stand given the there are those that use web but don't have a cell phone. My 90 year old mom for starters! I expected to be pushed into a text plan by Verizon or a bank or some other institution that I don't want to live without. But the SSA? Calling and writing is no way to interface with them.
If it’s not long term it’s small talk

mptfan
Posts: 4662
Joined: Mon Mar 05, 2007 9:58 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mptfan » Thu Jul 28, 2016 2:58 pm

mrc wrote:I don't see how this can stand given the there are those that use web but don't have a cell phone.
You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
Last edited by mptfan on Thu Jul 28, 2016 2:58 pm, edited 1 time in total.

User avatar
mrc
Posts: 1197
Joined: Sun Jan 10, 2016 6:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc » Thu Jul 28, 2016 2:58 pm

I logged into the SSA site, and on the "Security Settings" tab is a button "Add Extra Security". Beside that is "How does this work?" Here is what is says:
How does this work?

If you'd like to add extra security, you will use a text-enabled cell phone each time you sign in. This provides extra security because even if someone gets your username and password, they will not be able to access your personal information.

To get started, we'll verify your identity by asking for:

the last 8 digits of your Visa, MasterCard or Discover Card, or
information from your W2 tax form, or
information from your 1040 Schedule SE (self-employment) tax form.

Your upgrade letter will arrive in 5 to 10 business days. You will need this letter to complete this process.
Love to hear from those that have done this already ...
If it’s not long term it’s small talk

User avatar
mrc
Posts: 1197
Joined: Sun Jan 10, 2016 6:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc » Thu Jul 28, 2016 3:00 pm

mptfan wrote:
mrc wrote:I don't see how this can stand given the there are those that use web but don't have a cell phone.
You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
I'm not sure who I distrust more: Verizon or Google!
If it’s not long term it’s small talk

User avatar
HueyLD
Posts: 6057
Joined: Mon Jan 14, 2008 10:30 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by HueyLD » Thu Jul 28, 2016 3:03 pm

I answered all of the above questions twice, but kept getting the same error message.

Am 100% certain that I entered everything correctly. Maybe the program is not yet functioning?

I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.

stlrick
Posts: 403
Joined: Mon Apr 14, 2008 4:37 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by stlrick » Thu Jul 28, 2016 3:19 pm

It may not be operative yet, but it is coming:

https://www.ssa.gov/legislation/testimony_052616.html

Scroll to section on "IT Investment," subsection on "Cybersecurity," last paragraph.

I found it in one minute by Googling "Is 'My Social Security' adding two-factor authentication?"

...and after posting, I see that JD Carpenter found it before me. Sorry for the duplication.
Last edited by stlrick on Thu Jul 28, 2016 3:24 pm, edited 1 time in total.

User avatar
Flobes
Posts: 982
Joined: Tue Feb 16, 2010 12:40 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Flobes » Thu Jul 28, 2016 3:23 pm

HueyLD wrote:I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.
I received the same email as OP.

I also placed a phone call to SSA. I opted to receive a call-back, which came about an hour later.

I asked my question; she mumbled some short answer. I asked, " Please repeat. I didn't understand the answer." And I was promptly sent onto the 5-minute Customer Satisfaction robot: Press 1 if you were dissatisfied; press 1 if your agent was unclear; press 3 if you questions weren't answered.

Logging into mySocialSecurity, there was a message alert that my password expires in 5 days. So I fed it a new one. And I downloaded my SS file, just in case I'm soon to be locked out.

Their phones must be a-ringin' off the hook today!

User avatar
mrc
Posts: 1197
Joined: Sun Jan 10, 2016 6:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc » Thu Jul 28, 2016 3:26 pm

+1 for google then. DuckDuck doesn't show that link to me. Even with this search:

"my Social Security" two-factor authentication site:ssa.gov
If it’s not long term it’s small talk

User avatar
cfs
Posts: 4154
Joined: Fri Feb 23, 2007 1:22 am
Location: ~ Mi Propio Camino ~

Re: SSA MANDATORY cell phone based multifactor authentication

Post by cfs » Thu Jul 28, 2016 4:17 pm

Done on my side

Thanks for all the inputs, I went to the ssa dot gov website, updated the password, and applied for the extra security, now waiting for the upgrade letter to arrive in 5 to 10 business days to complete the process.

Thanks for reading.
~ Member of the Active Retired Force since 2014 ~

User avatar
TimeRunner
Posts: 1388
Joined: Sat Dec 29, 2012 9:23 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by TimeRunner » Thu Jul 28, 2016 4:23 pm

mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
"...There're just so many summers, and just so many springs." -Don Henley "What'd ya expect in an opera, a happy ending?" -Bugs Bunny

MathWizard
Posts: 3000
Joined: Tue Jul 26, 2011 1:35 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by MathWizard » Thu Jul 28, 2016 4:44 pm

adamthesmythe wrote:Ironic in that two-factor identification is now deprecated

http://www.infoworld.com/article/310068 ... ation.html
Two factor (or multi-factor) is fine. It is just the sms based that NIST is talking about, which the SSA appears to want to use.

Biometrics or one-time passwords are still useful.

The Iphone and other top end smartphones have biometrics (fingerprint reader). I use one-time passwords.

User avatar
FreeAtLast
Posts: 640
Joined: Tue Nov 04, 2014 9:08 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by FreeAtLast » Thu Jul 28, 2016 4:51 pm

Flobes wrote:
HueyLD wrote:I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.
I received the same email as OP.

I also placed a phone call to SSA. I opted to receive a call-back, which came about an hour later.

I asked my question; she mumbled some short answer. I asked, " Please repeat. I didn't understand the answer." And I was promptly sent onto the 5-minute Customer Satisfaction robot: Press 1 if you were dissatisfied; press 1 if your agent was unclear; press 3 if you questions weren't answered.

Logging into mySocialSecurity, there was a message alert that my password expires in 5 days. So I fed it a new one. And I downloaded my SS file, just in case I'm soon to be locked out.

Their phones must be a-ringin' off the hook today!
Just did the same thing as Flobes; changed password and downloaded June 2016 personal SSA summary. Done until next year. Thanks for the heads-up, mrc!
Illegitimi non carborundum.

User avatar
Epsilon Delta
Posts: 7430
Joined: Thu Apr 28, 2011 7:00 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Epsilon Delta » Thu Jul 28, 2016 5:11 pm

TimeRunner wrote:
mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
The more steps the SMS takes to get to you the less secure it is. The rationale for using the phone system as a second factor is that the phone system is not too insecure, and will probably notice and fix large scale hacks. Adding Google as a link makes it less secure, but not that much less secure. Add a few more email handlers to the link and this starts to look like a bad idea.

S&L1940
Posts: 1596
Joined: Fri Nov 02, 2007 11:19 pm
Location: South Florida

Re: SSA MANDATORY cell phone based multifactor authentication

Post by S&L1940 » Thu Jul 28, 2016 5:26 pm

everyone disses BoA yet one click has them email a numerical code to complete the log on to my account
ditto Vanguard, easy set up for automated call with a one time recorded code to my landline or cell
Don't it always seem to go * That you don't know what you've got * Till it's gone

User avatar
Flobes
Posts: 982
Joined: Tue Feb 16, 2010 12:40 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Flobes » Thu Jul 28, 2016 6:16 pm

Just got another email from SSA.

It took 6 hours to fix the broken links in this morning's email message. What could possibly go wrong when they shut down to do a system upgrade this weekend?

User avatar
mrc
Posts: 1197
Joined: Sun Jan 10, 2016 6:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc » Fri Jul 29, 2016 4:37 am

Me too. This message has the embedded link (to ssa.gov). I still don't use embedded links ...

I obtained a new Google voice number -- just for this but I see other uses for it (thanks for the suggestion).

I logged into SSA and after several attempts to carefully add the info to initiate the process, no dice. :oops:

I'll wait them out I guess, 1 August is Monday. If SSA turns this on for the US Population, they will be hammered with customer service calls for months.
If it’s not long term it’s small talk

User avatar
mrc
Posts: 1197
Joined: Sun Jan 10, 2016 6:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc » Fri Jul 29, 2016 6:50 am

We froze our credit reports due to OPM breech (and do not have a police report). Looks like SSA uses Experian to verify identity. I and my DW's extra settings ability are blocked. My mom's worked (her credit reports are not frozen). Looks like another $10 to unfreeze to get make this happen.
If it’s not long term it’s small talk

Levett
Posts: 4177
Joined: Fri Feb 23, 2007 2:10 pm
Location: upper Midwest

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Levett » Fri Jul 29, 2016 6:56 am

For several years I have subscribed to Social Security notifications. It's proven very informative.

https://www.ssa.gov/agency/updates/

I find nothing unusual about the multifactor authentication. I welcome it. My CU uses it, several CC cards use it, Vanguard uses it from time to time.

Lev

User avatar
mrc
Posts: 1197
Joined: Sun Jan 10, 2016 6:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc » Fri Jul 29, 2016 7:07 am

Lev, I welcome MFA too -- just not with the cell phone text message only restriction. And with three days notice. And a method that takes 5-10 days and necessitates yet another credit unfreeze! I used W-2 info an can't get started. Why must SSA reach out for that info to a frozen credit report?

Who was it that said: security = 1 / convenience

I guess I am just sour over the sudden notice and the inconvenience and expense of compliance.
If it’s not long term it’s small talk

tibbitts
Posts: 8006
Joined: Tue Feb 27, 2007 6:50 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by tibbitts » Fri Jul 29, 2016 7:18 am

Sorry to hijack the thread, but I've found that a number of authentication services manage to defeat the use of google voice, and declare it an unsuitable number. I have two google voice numbers and this has happened with both. Does anyone understand how/why this happens? Other authentication services text to google voice just fine.

letsgobobby
Posts: 11576
Joined: Fri Sep 18, 2009 1:10 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by letsgobobby » Fri Jul 29, 2016 10:41 am

FreeAtLast wrote:
Flobes wrote:
HueyLD wrote:I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.
I received the same email as OP.

I also placed a phone call to SSA. I opted to receive a call-back, which came about an hour later.

I asked my question; she mumbled some short answer. I asked, " Please repeat. I didn't understand the answer." And I was promptly sent onto the 5-minute Customer Satisfaction robot: Press 1 if you were dissatisfied; press 1 if your agent was unclear; press 3 if you questions weren't answered.

Logging into mySocialSecurity, there was a message alert that my password expires in 5 days. So I fed it a new one. And I downloaded my SS file, just in case I'm soon to be locked out.

Their phones must be a-ringin' off the hook today!
Just did the same thing as Flobes; changed password and downloaded June 2016 personal SSA summary. Done until next year. Thanks for the heads-up, mrc!
Good idea, done. Thank you. Also signed up for the two factor auth.

Good Listener
Posts: 598
Joined: Wed Dec 30, 2015 5:24 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Good Listener » Fri Jul 29, 2016 10:51 am

I have not logged on to the SSA site for quite a while because every time I did I had to change the password. Apparently there was a requirement to change the password every 6 months. Does anybody know if this new two-factor Authentication is removing the need to keep changing your password?

vested1
Posts: 1569
Joined: Wed Jan 04, 2012 4:20 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by vested1 » Fri Jul 29, 2016 12:15 pm

I got the email today as well. My wife and I have accounts on the website, and while the new requirements will be a minor inconvenience I immediately struck by the creeping control we all suffer under, which forces us to conform or be left out. Will we be safer because of these changes? Perhaps, but that doesn't diminish the sad realization that more robust security measures like this are necessary to protect us from those who would steal what they didn't earn.

User avatar
coachz
Posts: 1048
Joined: Wed Apr 04, 2007 7:10 am
Location: Charleston, SC

Re: SSA MANDATORY cell phone based multifactor authentication

Post by coachz » Fri Jul 29, 2016 12:25 pm

I have never had a cell phone so I guess I won't be going there anymore.

sco
Posts: 788
Joined: Thu Sep 24, 2015 2:28 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by sco » Fri Jul 29, 2016 12:53 pm

In addition to a cell phone number, they have to verify via financial information. Mine failed.

User avatar
abuss368
Posts: 12835
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!

Re: SSA MANDATORY cell phone based multifactor authentication

Post by abuss368 » Fri Jul 29, 2016 1:20 pm

I did read this. Dumb phones may not have much longer!
John C. Bogle: "You simply do not need to put your money into 8 different mutual funds!" | | Disclosure: Three Fund Portfolio + U.S. & International REITs

drwtsn32
Posts: 125
Joined: Wed Dec 31, 2014 12:28 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by drwtsn32 » Fri Jul 29, 2016 2:21 pm

adamthesmythe wrote:Ironic in that two-factor identification is now deprecated

http://www.infoworld.com/article/310068 ... ation.html
Only SMS based 2-factor. And maybe email based for a similar reason. (Someone intercepting the code.)

I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.

niven
Posts: 75
Joined: Fri Mar 04, 2016 12:13 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by niven » Fri Jul 29, 2016 2:32 pm

abuss368 wrote:I did read this. Dumb phones may not have much longer!
What? Dumb or "feature" cell phones can get SMS messages as well. I've always assumed this is why two-factor authentication by SMS is still popular.

mptfan
Posts: 4662
Joined: Mon Mar 05, 2007 9:58 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mptfan » Fri Jul 29, 2016 2:51 pm

drwtsn32 wrote: I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.

User avatar
abuss368
Posts: 12835
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!

Re: SSA MANDATORY cell phone based multifactor authentication

Post by abuss368 » Fri Jul 29, 2016 4:54 pm

niven wrote:
abuss368 wrote:I did read this. Dumb phones may not have much longer!
What? Dumb or "feature" cell phones can get SMS messages as well. I've always assumed this is why two-factor authentication by SMS is still popular.
I know.
John C. Bogle: "You simply do not need to put your money into 8 different mutual funds!" | | Disclosure: Three Fund Portfolio + U.S. & International REITs

drwtsn32
Posts: 125
Joined: Wed Dec 31, 2014 12:28 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by drwtsn32 » Fri Jul 29, 2016 9:52 pm

mptfan wrote:
drwtsn32 wrote: I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.
Hardware keys are more secure albeit at more inconvenience IMO.

While some 2FA mechanisms are better because someone can't intercept the code as it is sent to you, they are all vulnerable to the type of attack where you are presented with a forged logon screen. If that forged logon screen also fakes the 2FA portion, you're still screwed.

Gotta pay attention to logon screens and not click links in those phishy emails!

User avatar
dodecahedron
Posts: 3691
Joined: Tue Nov 12, 2013 12:28 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by dodecahedron » Fri Jul 29, 2016 10:17 pm

I am not sure why I would ever need to access the SSA website again. I filed for own record benefits online last year. That was successful, though someone from SSA called me to confirm everything a week or so later. I am planning to apply for widow's benefits at FRA and I already know that can't be done online--it has to be either in-person or phone/mail. (I also know the projected amount of those benefits and they won't change except for COLA, since my late husband's PIA is not going to change.) Because I am already drawing SS prior to Medicare age, I understand that Medicare enrollment in Parts A and B will happen automatically when I approach age 65. I have had the same BoA checking account number for 26 years and don't expect to change my direct deposit arrangements.

Is there any other reason I might want to access my SSA account online again?

Edited to add: I looked at this list. I guess if I want to change my address or request a replacement SS or Medicare card, it might be handy, but that would happen rarely (or possibly never.)
Last edited by dodecahedron on Fri Jul 29, 2016 10:26 pm, edited 1 time in total.

User avatar
VictoriaF
Posts: 18553
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: SSA MANDATORY cell phone based multifactor authentication

Post by VictoriaF » Fri Jul 29, 2016 10:18 pm

TimeRunner wrote:
mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
The NIST decision to disallow SMS-based 2FA is significantly because they don't consider VoIP, such as Google Voice, a secure second factor. Please take a look at the article NIST is no longer hot for SMS-based two-factor authentication referenced earlier in this thread.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

Dottie57
Posts: 4469
Joined: Thu May 19, 2016 5:43 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Dottie57 » Fri Jul 29, 2016 10:27 pm

Hmm, but don't have texting. Guess it is call the congress critter time.

User avatar
VictoriaF
Posts: 18553
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: SSA MANDATORY cell phone based multifactor authentication

Post by VictoriaF » Fri Jul 29, 2016 10:31 pm

drwtsn32 wrote:
mptfan wrote:
drwtsn32 wrote: I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.
Hardware keys are more secure albeit at more inconvenience IMO.

While some 2FA mechanisms are better because someone can't intercept the code as it is sent to you, they are all vulnerable to the type of attack where you are presented with a forged logon screen. If that forged logon screen also fakes the 2FA portion, you're still screwed.

Gotta pay attention to logon screens and not click links in those phishy emails!
Furthermore, hardware keys are not scalable as a general purpose 2FA. One key from the SSA is OK. But how do you manage and distinguish numerous keys for each brokerage, bank, credit card, email account, etc.?

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
VictoriaF
Posts: 18553
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: SSA MANDATORY cell phone based multifactor authentication

Post by VictoriaF » Fri Jul 29, 2016 10:35 pm

Dottie57 wrote:Hmm, but don't have texting. Guess it is call the congress critter time.
The SSA, the IRS, and other government services are losing hundreds of millions of dollars a year to fraud. May be even billions. This is a HUGE waste that could be used for providing public services. They MUST harden their cyber security. Those who don't have a text-receiving capability can revert to regular phone calls.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

theunknowntech
Posts: 312
Joined: Tue May 05, 2015 11:11 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by theunknowntech » Fri Jul 29, 2016 10:46 pm

mrc wrote:I am all for tight security. But I just received this notice from the SSA (emphasis added). Short notice, and denial of online access without a text-capable device.
<menomena menomena>
I got that email too. I thought it was a fraud, a clever fraud.

Who do they think we are? I don't text. Somebody once tried to teach me how to text, and it was comical. In the name of Akhenaten, texting is for the little people.

Post Reply