SSA MANDATORY cell phone based multifactor authentication [now RESCINDED]

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills.
Topic Author
mrc
Posts: 1908
Joined: Sun Jan 10, 2016 5:39 am

SSA MANDATORY cell phone based multifactor authentication [now RESCINDED]

Post by mrc »

UPDATE: The SSA has rescinded this policy as ResearchMed notes:
ResearchMed wrote:Social Security has dropped the recent requirement that a cell phone/text message would be required for security purposes.

http://www.investmentnews.com/article/2 ... sit=405045

Apparently, "“Our aggressive implementation inconvenienced or restricted access to some of our account holders,” Social Security press office spokesperson Dorothy Clark said via email".

RM

I am all for tight security. But I just received this notice from the SSA (emphasis added). Short notice, and denial of online access without a text-capable device.
Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user. This new requirement is the result of an executive order for federal agencies to provide more secure authentication for their online services. Any agency that provides online access to a customer’s personal information must use multifactor authentication.

When you sign in at ssa.gov/myaccount with your username and password, we will ask you to add your text-enabled cell phone number. The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account.

Each time you sign into your account, you will complete two steps:

Step 1: Enter your username and password.
Step 2: Enter the security code we text to your cell phone (cell phone provider's text message and data rates may apply).

The process of using a one-time security code in addition to a username and password is one form of “multifactor authentication,” which means we are using more than one method to make sure you are the actual owner of your account.

If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account.

If you are unable or choose not to use my Social Security, there are other ways you can contact us. To learn more, please review the Frequently Asked Questions found here.
Last edited by mrc on Tue Aug 16, 2016 9:13 am, edited 2 times in total.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
123
Posts: 10412
Joined: Fri Oct 12, 2012 3:55 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by 123 »

This sounds like the good basis for a complaint through a local congressperson or senator. Technology exists to route the multifactor authentication code number through email or to send it via a vocal message to a landline number. They could even mail a list of multifactor authentication numbers through the snail mail system for future use.
The closest helping hand is at the end of your own arm.
adamthesmythe
Posts: 5774
Joined: Mon Sep 22, 2014 4:47 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by adamthesmythe »

Ironic in that two-factor identification is now deprecated

http://www.infoworld.com/article/310068 ... ation.html
User avatar
cfs
Posts: 4154
Joined: Fri Feb 23, 2007 12:22 am
Location: ~ Mi Propio Camino ~

Re: SSA MANDATORY cell phone based multifactor authentication

Post by cfs »

ALL ENGINES STOP

Did you go to the actual Social Security Website [no, not via the link provided on any bogus email] to verify this information?

Thanks for reading.
~ Member of the Active Retired Force since 2014 ~
User avatar
HueyLD
Posts: 9788
Joined: Mon Jan 14, 2008 9:30 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by HueyLD »

I just signed into my SSA account and no such a question was asked.
User avatar
JDCarpenter
Posts: 1800
Joined: Tue Sep 09, 2014 2:42 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by JDCarpenter »

Looks like they are indeed going to implement this. From the May 16, 2016, statement of acting commissioner Carolyn W. Colvin to the House Oversight Committee:
Additionally, to protect citizens’ personally identifiable information further, we continue to improve authentication for our online services. In compliance with Executive Order 13681 (“Improving the Security of Consumer Financial Transactions”), we are changing our current multifactor authentication process for my Social Security from optional to mandatory for all users. Upon implementation this summer, all customers must enter a username, password, and a one-time passcode texted to a registered cell phone in order to access their my Social Security account. In the future, we expect to offer additional multi-factor options, pursuant to Federal guidelines. The National Institute of Standards of Technology is working on a revised guideline, and we are providing input into that process.
https://www.ssa.gov/legislation/testimony_052616.html

Edited to Add: BUT, the infoworld link provided above by adamthesmythe indicates that NIST axed its endorsement of SMS two-factor yesterday. Maybe that will give SSA pause?
Last edited by JDCarpenter on Thu Jul 28, 2016 1:39 pm, edited 2 times in total.
Our personal blog (no ads) of why we saved/invested: https://www.lisajtravels.com/
User avatar
BolderBoy
Posts: 6750
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: SSA MANDATORY cell phone based multifactor authentication

Post by BolderBoy »

HueyLD wrote:I just signed into my SSA account and no such a question was asked.
Likewise, I just logged in and LOOKED for some sort of warning that this is coming.

Nada.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
Ron
Posts: 6972
Joined: Fri Feb 23, 2007 6:46 pm
Location: Allentown–Bethlehem–Easton, PA-NJ Metropolitan Statistical Area

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Ron »

HueyLD wrote:I just signed into my SSA account and no such a question was asked.
If you go under tab "Security Settings", you will see this as an available option already (Add Extra Security).

As you said, there is no message (yet) on the main mySocialSecurity site, but again the OP stated it will be required shortly.

- Ron
Spirit Rider
Posts: 13977
Joined: Fri Mar 02, 2007 1:39 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Spirit Rider »

HueyLD wrote:I just signed into my SSA account and no such a question was asked.
Maybe because this was the first sentence of the quoted text.

"Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user."
User avatar
HueyLD
Posts: 9788
Joined: Mon Jan 14, 2008 9:30 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by HueyLD »

Spirit Rider wrote:
HueyLD wrote:I just signed into my SSA account and no such a question was asked.
Maybe because this was the first sentence of the quoted text.

"Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user."
Duh....
Texanbybirth
Posts: 1612
Joined: Tue Apr 14, 2015 12:07 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Texanbybirth »

My account is already like that. I just tried, and I had to do two-factor authentication to get in. Maybe they're testing it on us young folk first to make sure there aren't any kinks. 8-)
“The strong cannot be brave. Only the weak can be brave; and yet again, in practice, only those who can be brave can be trusted, in time of doubt, to be strong.“ - GK Chesterton
User avatar
SpringMan
Posts: 5422
Joined: Wed Mar 21, 2007 11:32 am
Location: Michigan

Re: SSA MANDATORY cell phone based multifactor authentication

Post by SpringMan »

Interesting yet Medicare cards are still using SS numbers though I have heard a change to that is coming.
Best Wishes, SpringMan
User avatar
HueyLD
Posts: 9788
Joined: Mon Jan 14, 2008 9:30 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by HueyLD »

Texanbybirth wrote:My account is already like that. I just tried, and I had to do two-factor authentication to get in. Maybe they're testing it on us young folk first to make sure there aren't any kinks. 8-)
Not SS age yet, but the SSA decided not to let me add extra security.

I attempted to add extra security twice, but received an error message every time as follows:

"We cannot upgrade your account at this moment. For further assistance, please contact us."
Topic Author
mrc
Posts: 1908
Joined: Sun Jan 10, 2016 5:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc »

cfs wrote:ALL ENGINES STOP

Did you go to the actual Social Security Website [no, not via the link provided on any bogus email] to verify this information?

Thanks for reading.
I wish it weren't true, but I checked the mail headers before I posted (it's from messages@subscriptions.ssa.gov) and there is only one clickable link: https://www.ssa.gov/myaccount/ in the message. I don't see how this can stand given the there are those that use web but don't have a cell phone. My 90 year old mom for starters! I expected to be pushed into a text plan by Verizon or a bank or some other institution that I don't want to live without. But the SSA? Calling and writing is no way to interface with them.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mptfan »

mrc wrote:I don't see how this can stand given the there are those that use web but don't have a cell phone.
You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
Last edited by mptfan on Thu Jul 28, 2016 2:58 pm, edited 1 time in total.
Topic Author
mrc
Posts: 1908
Joined: Sun Jan 10, 2016 5:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc »

I logged into the SSA site, and on the "Security Settings" tab is a button "Add Extra Security". Beside that is "How does this work?" Here is what is says:
How does this work?

If you'd like to add extra security, you will use a text-enabled cell phone each time you sign in. This provides extra security because even if someone gets your username and password, they will not be able to access your personal information.

To get started, we'll verify your identity by asking for:

the last 8 digits of your Visa, MasterCard or Discover Card, or
information from your W2 tax form, or
information from your 1040 Schedule SE (self-employment) tax form.

Your upgrade letter will arrive in 5 to 10 business days. You will need this letter to complete this process.
Love to hear from those that have done this already ...
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
Topic Author
mrc
Posts: 1908
Joined: Sun Jan 10, 2016 5:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc »

mptfan wrote:
mrc wrote:I don't see how this can stand given the there are those that use web but don't have a cell phone.
You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
I'm not sure who I distrust more: Verizon or Google!
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
User avatar
HueyLD
Posts: 9788
Joined: Mon Jan 14, 2008 9:30 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by HueyLD »

I answered all of the above questions twice, but kept getting the same error message.

Am 100% certain that I entered everything correctly. Maybe the program is not yet functioning?

I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.
stlrick
Posts: 655
Joined: Mon Apr 14, 2008 4:37 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by stlrick »

It may not be operative yet, but it is coming:

https://www.ssa.gov/legislation/testimony_052616.html

Scroll to section on "IT Investment," subsection on "Cybersecurity," last paragraph.

I found it in one minute by Googling "Is 'My Social Security' adding two-factor authentication?"

...and after posting, I see that JD Carpenter found it before me. Sorry for the duplication.
Last edited by stlrick on Thu Jul 28, 2016 3:24 pm, edited 1 time in total.
User avatar
Flobes
Posts: 1771
Joined: Mon Feb 15, 2010 11:40 pm
Location: Home

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Flobes »

HueyLD wrote:I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.
I received the same email as OP.

I also placed a phone call to SSA. I opted to receive a call-back, which came about an hour later.

I asked my question; she mumbled some short answer. I asked, " Please repeat. I didn't understand the answer." And I was promptly sent onto the 5-minute Customer Satisfaction robot: Press 1 if you were dissatisfied; press 1 if your agent was unclear; press 3 if you questions weren't answered.

Logging into mySocialSecurity, there was a message alert that my password expires in 5 days. So I fed it a new one. And I downloaded my SS file, just in case I'm soon to be locked out.

Their phones must be a-ringin' off the hook today!
Topic Author
mrc
Posts: 1908
Joined: Sun Jan 10, 2016 5:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc »

+1 for google then. DuckDuck doesn't show that link to me. Even with this search:

"my Social Security" two-factor authentication site:ssa.gov
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
User avatar
cfs
Posts: 4154
Joined: Fri Feb 23, 2007 12:22 am
Location: ~ Mi Propio Camino ~

Re: SSA MANDATORY cell phone based multifactor authentication

Post by cfs »

Done on my side

Thanks for all the inputs, I went to the ssa dot gov website, updated the password, and applied for the extra security, now waiting for the upgrade letter to arrive in 5 to 10 business days to complete the process.

Thanks for reading.
~ Member of the Active Retired Force since 2014 ~
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: SSA MANDATORY cell phone based multifactor authentication

Post by TimeRunner »

mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
MathWizard
Posts: 6557
Joined: Tue Jul 26, 2011 1:35 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by MathWizard »

adamthesmythe wrote:Ironic in that two-factor identification is now deprecated

http://www.infoworld.com/article/310068 ... ation.html
Two factor (or multi-factor) is fine. It is just the sms based that NIST is talking about, which the SSA appears to want to use.

Biometrics or one-time passwords are still useful.

The Iphone and other top end smartphones have biometrics (fingerprint reader). I use one-time passwords.
User avatar
FreeAtLast
Posts: 802
Joined: Tue Nov 04, 2014 8:08 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by FreeAtLast »

Flobes wrote:
HueyLD wrote:I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.
I received the same email as OP.

I also placed a phone call to SSA. I opted to receive a call-back, which came about an hour later.

I asked my question; she mumbled some short answer. I asked, " Please repeat. I didn't understand the answer." And I was promptly sent onto the 5-minute Customer Satisfaction robot: Press 1 if you were dissatisfied; press 1 if your agent was unclear; press 3 if you questions weren't answered.

Logging into mySocialSecurity, there was a message alert that my password expires in 5 days. So I fed it a new one. And I downloaded my SS file, just in case I'm soon to be locked out.

Their phones must be a-ringin' off the hook today!
Just did the same thing as Flobes; changed password and downloaded June 2016 personal SSA summary. Done until next year. Thanks for the heads-up, mrc!
Illegitimi non carborundum.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Epsilon Delta »

TimeRunner wrote:
mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
The more steps the SMS takes to get to you the less secure it is. The rationale for using the phone system as a second factor is that the phone system is not too insecure, and will probably notice and fix large scale hacks. Adding Google as a link makes it less secure, but not that much less secure. Add a few more email handlers to the link and this starts to look like a bad idea.
S&L1940
Posts: 1658
Joined: Fri Nov 02, 2007 11:19 pm
Location: South Florida

Re: SSA MANDATORY cell phone based multifactor authentication

Post by S&L1940 »

everyone disses BoA yet one click has them email a numerical code to complete the log on to my account
ditto Vanguard, easy set up for automated call with a one time recorded code to my landline or cell
Don't it always seem to go * That you don't know what you've got * Till it's gone
User avatar
Flobes
Posts: 1771
Joined: Mon Feb 15, 2010 11:40 pm
Location: Home

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Flobes »

Just got another email from SSA.

It took 6 hours to fix the broken links in this morning's email message. What could possibly go wrong when they shut down to do a system upgrade this weekend?
Topic Author
mrc
Posts: 1908
Joined: Sun Jan 10, 2016 5:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc »

Me too. This message has the embedded link (to ssa.gov). I still don't use embedded links ...

I obtained a new Google voice number -- just for this but I see other uses for it (thanks for the suggestion).

I logged into SSA and after several attempts to carefully add the info to initiate the process, no dice. :oops:

I'll wait them out I guess, 1 August is Monday. If SSA turns this on for the US Population, they will be hammered with customer service calls for months.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
Topic Author
mrc
Posts: 1908
Joined: Sun Jan 10, 2016 5:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc »

We froze our credit reports due to OPM breech (and do not have a police report). Looks like SSA uses Experian to verify identity. I and my DW's extra settings ability are blocked. My mom's worked (her credit reports are not frozen). Looks like another $10 to unfreeze to get make this happen.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
Levett
Posts: 4177
Joined: Fri Feb 23, 2007 1:10 pm
Location: upper Midwest

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Levett »

For several years I have subscribed to Social Security notifications. It's proven very informative.

https://www.ssa.gov/agency/updates/

I find nothing unusual about the multifactor authentication. I welcome it. My CU uses it, several CC cards use it, Vanguard uses it from time to time.

Lev
Topic Author
mrc
Posts: 1908
Joined: Sun Jan 10, 2016 5:39 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mrc »

Lev, I welcome MFA too -- just not with the cell phone text message only restriction. And with three days notice. And a method that takes 5-10 days and necessitates yet another credit unfreeze! I used W-2 info an can't get started. Why must SSA reach out for that info to a frozen credit report?

Who was it that said: security = 1 / convenience

I guess I am just sour over the sudden notice and the inconvenience and expense of compliance.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
tibbitts
Posts: 23702
Joined: Tue Feb 27, 2007 5:50 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by tibbitts »

Sorry to hijack the thread, but I've found that a number of authentication services manage to defeat the use of google voice, and declare it an unsuitable number. I have two google voice numbers and this has happened with both. Does anyone understand how/why this happens? Other authentication services text to google voice just fine.
letsgobobby
Posts: 12073
Joined: Fri Sep 18, 2009 1:10 am

Deleted

Post by letsgobobby »

Deleted
Last edited by letsgobobby on Tue Jan 14, 2020 7:58 pm, edited 1 time in total.
Good Listener
Posts: 927
Joined: Wed Dec 30, 2015 4:24 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Good Listener »

I have not logged on to the SSA site for quite a while because every time I did I had to change the password. Apparently there was a requirement to change the password every 6 months. Does anybody know if this new two-factor Authentication is removing the need to keep changing your password?
vested1
Posts: 3496
Joined: Wed Jan 04, 2012 3:20 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by vested1 »

I got the email today as well. My wife and I have accounts on the website, and while the new requirements will be a minor inconvenience I immediately struck by the creeping control we all suffer under, which forces us to conform or be left out. Will we be safer because of these changes? Perhaps, but that doesn't diminish the sad realization that more robust security measures like this are necessary to protect us from those who would steal what they didn't earn.
User avatar
coachz
Posts: 1048
Joined: Wed Apr 04, 2007 7:10 am
Location: Charleston, SC

Re: SSA MANDATORY cell phone based multifactor authentication

Post by coachz »

I have never had a cell phone so I guess I won't be going there anymore.
sco
Posts: 1009
Joined: Thu Sep 24, 2015 2:28 pm

Re: SSA MANDATORY cell phone based multifactor authentication

Post by sco »

In addition to a cell phone number, they have to verify via financial information. Mine failed.
User avatar
abuss368
Posts: 27850
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: SSA MANDATORY cell phone based multifactor authentication

Post by abuss368 »

I did read this. Dumb phones may not have much longer!
John C. Bogle: “Simplicity is the master key to financial success."
drwtsn32
Posts: 127
Joined: Wed Dec 31, 2014 11:28 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by drwtsn32 »

adamthesmythe wrote:Ironic in that two-factor identification is now deprecated

http://www.infoworld.com/article/310068 ... ation.html
Only SMS based 2-factor. And maybe email based for a similar reason. (Someone intercepting the code.)

I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
niven
Posts: 97
Joined: Fri Mar 04, 2016 11:13 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by niven »

abuss368 wrote:I did read this. Dumb phones may not have much longer!
What? Dumb or "feature" cell phones can get SMS messages as well. I've always assumed this is why two-factor authentication by SMS is still popular.
mptfan
Posts: 7217
Joined: Mon Mar 05, 2007 8:58 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by mptfan »

drwtsn32 wrote: I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.
User avatar
abuss368
Posts: 27850
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: SSA MANDATORY cell phone based multifactor authentication

Post by abuss368 »

niven wrote:
abuss368 wrote:I did read this. Dumb phones may not have much longer!
What? Dumb or "feature" cell phones can get SMS messages as well. I've always assumed this is why two-factor authentication by SMS is still popular.
I know.
John C. Bogle: “Simplicity is the master key to financial success."
drwtsn32
Posts: 127
Joined: Wed Dec 31, 2014 11:28 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by drwtsn32 »

mptfan wrote:
drwtsn32 wrote: I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.
Hardware keys are more secure albeit at more inconvenience IMO.

While some 2FA mechanisms are better because someone can't intercept the code as it is sent to you, they are all vulnerable to the type of attack where you are presented with a forged logon screen. If that forged logon screen also fakes the 2FA portion, you're still screwed.

Gotta pay attention to logon screens and not click links in those phishy emails!
User avatar
dodecahedron
Posts: 6602
Joined: Tue Nov 12, 2013 11:28 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by dodecahedron »

I am not sure why I would ever need to access the SSA website again. I filed for own record benefits online last year. That was successful, though someone from SSA called me to confirm everything a week or so later. I am planning to apply for widow's benefits at FRA and I already know that can't be done online--it has to be either in-person or phone/mail. (I also know the projected amount of those benefits and they won't change except for COLA, since my late husband's PIA is not going to change.) Because I am already drawing SS prior to Medicare age, I understand that Medicare enrollment in Parts A and B will happen automatically when I approach age 65. I have had the same BoA checking account number for 26 years and don't expect to change my direct deposit arrangements.

Is there any other reason I might want to access my SSA account online again?

Edited to add: I looked at this list. I guess if I want to change my address or request a replacement SS or Medicare card, it might be handy, but that would happen rarely (or possibly never.)
Last edited by dodecahedron on Fri Jul 29, 2016 10:26 pm, edited 1 time in total.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: SSA MANDATORY cell phone based multifactor authentication

Post by VictoriaF »

TimeRunner wrote:
mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.

https://www.google.com/googlevoice/about.html
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
The NIST decision to disallow SMS-based 2FA is significantly because they don't consider VoIP, such as Google Voice, a secure second factor. Please take a look at the article NIST is no longer hot for SMS-based two-factor authentication referenced earlier in this thread.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Dottie57
Posts: 12377
Joined: Thu May 19, 2016 5:43 pm
Location: Earth Northern Hemisphere

Re: SSA MANDATORY cell phone based multifactor authentication

Post by Dottie57 »

Hmm, but don't have texting. Guess it is call the congress critter time.
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: SSA MANDATORY cell phone based multifactor authentication

Post by VictoriaF »

drwtsn32 wrote:
mptfan wrote:
drwtsn32 wrote: I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.
Hardware keys are more secure albeit at more inconvenience IMO.

While some 2FA mechanisms are better because someone can't intercept the code as it is sent to you, they are all vulnerable to the type of attack where you are presented with a forged logon screen. If that forged logon screen also fakes the 2FA portion, you're still screwed.

Gotta pay attention to logon screens and not click links in those phishy emails!
Furthermore, hardware keys are not scalable as a general purpose 2FA. One key from the SSA is OK. But how do you manage and distinguish numerous keys for each brokerage, bank, credit card, email account, etc.?

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: SSA MANDATORY cell phone based multifactor authentication

Post by VictoriaF »

Dottie57 wrote:Hmm, but don't have texting. Guess it is call the congress critter time.
The SSA, the IRS, and other government services are losing hundreds of millions of dollars a year to fraud. May be even billions. This is a HUGE waste that could be used for providing public services. They MUST harden their cyber security. Those who don't have a text-receiving capability can revert to regular phone calls.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
theunknowntech
Posts: 312
Joined: Tue May 05, 2015 11:11 am

Re: SSA MANDATORY cell phone based multifactor authentication

Post by theunknowntech »

mrc wrote:I am all for tight security. But I just received this notice from the SSA (emphasis added). Short notice, and denial of online access without a text-capable device.
<menomena menomena>
I got that email too. I thought it was a fraud, a clever fraud.

Who do they think we are? I don't text. Somebody once tried to teach me how to text, and it was comical. In the name of Akhenaten, texting is for the little people.
Post Reply