Apparently, "“Our aggressive implementation inconvenienced or restricted access to some of our account holders,” Social Security press office spokesperson Dorothy Clark said via email".
RM
I am all for tight security. But I just received this notice from the SSA (emphasis added). Short notice, and denial of online access without a text-capable device.
Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user. This new requirement is the result of an executive order for federal agencies to provide more secure authentication for their online services. Any agency that provides online access to a customer’s personal information must use multifactor authentication.
When you sign in at ssa.gov/myaccount with your username and password, we will ask you to add your text-enabled cell phone number. The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account.
Each time you sign into your account, you will complete two steps:
Step 1: Enter your username and password.
Step 2: Enter the security code we text to your cell phone (cell phone provider's text message and data rates may apply).
The process of using a one-time security code in addition to a username and password is one form of “multifactor authentication,” which means we are using more than one method to make sure you are the actual owner of your account.
If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account.
If you are unable or choose not to use my Social Security, there are other ways you can contact us. To learn more, please review the Frequently Asked Questions found here.
Last edited by mrc on Tue Aug 16, 2016 9:13 am, edited 2 times in total.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
This sounds like the good basis for a complaint through a local congressperson or senator. Technology exists to route the multifactor authentication code number through email or to send it via a vocal message to a landline number. They could even mail a list of multifactor authentication numbers through the snail mail system for future use.
The closest helping hand is at the end of your own arm.
Looks like they are indeed going to implement this. From the May 16, 2016, statement of acting commissioner Carolyn W. Colvin to the House Oversight Committee:
Additionally, to protect citizens’ personally identifiable information further, we continue to improve authentication for our online services. In compliance with Executive Order 13681 (“Improving the Security of Consumer Financial Transactions”), we are changing our current multifactor authentication process for my Social Security from optional to mandatory for all users. Upon implementation this summer, all customers must enter a username, password, and a one-time passcode texted to a registered cell phone in order to access their my Social Security account. In the future, we expect to offer additional multi-factor options, pursuant to Federal guidelines. The National Institute of Standards of Technology is working on a revised guideline, and we are providing input into that process.
Edited to Add: BUT, the infoworld link provided above by adamthesmythe indicates that NIST axed its endorsement of SMS two-factor yesterday. Maybe that will give SSA pause?
Last edited by JDCarpenter on Thu Jul 28, 2016 1:39 pm, edited 2 times in total.
Our personal blog (no ads) of why we saved/invested: https://www.lisajtravels.com/
My account is already like that. I just tried, and I had to do two-factor authentication to get in. Maybe they're testing it on us young folk first to make sure there aren't any kinks.
“The strong cannot be brave. Only the weak can be brave; and yet again, in practice, only those who can be brave can be trusted, in time of doubt, to be strong.“ - GK Chesterton
Texanbybirth wrote:My account is already like that. I just tried, and I had to do two-factor authentication to get in. Maybe they're testing it on us young folk first to make sure there aren't any kinks.
Not SS age yet, but the SSA decided not to let me add extra security.
I attempted to add extra security twice, but received an error message every time as follows:
"We cannot upgrade your account at this moment. For further assistance, please contact us."
Did you go to the actual Social Security Website [no, not via the link provided on any bogus email] to verify this information?
Thanks for reading.
I wish it weren't true, but I checked the mail headers before I posted (it's from messages@subscriptions.ssa.gov) and there is only one clickable link: https://www.ssa.gov/myaccount/ in the message. I don't see how this can stand given the there are those that use web but don't have a cell phone. My 90 year old mom for starters! I expected to be pushed into a text plan by Verizon or a bank or some other institution that I don't want to live without. But the SSA? Calling and writing is no way to interface with them.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
mrc wrote:I don't see how this can stand given the there are those that use web but don't have a cell phone.
You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.
I logged into the SSA site, and on the "Security Settings" tab is a button "Add Extra Security". Beside that is "How does this work?" Here is what is says:
How does this work?
If you'd like to add extra security, you will use a text-enabled cell phone each time you sign in. This provides extra security because even if someone gets your username and password, they will not be able to access your personal information.
To get started, we'll verify your identity by asking for:
the last 8 digits of your Visa, MasterCard or Discover Card, or
information from your W2 tax form, or
information from your 1040 Schedule SE (self-employment) tax form.
Your upgrade letter will arrive in 5 to 10 business days. You will need this letter to complete this process.
Love to hear from those that have done this already ...
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
mrc wrote:I don't see how this can stand given the there are those that use web but don't have a cell phone.
You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.
I'm not sure who I distrust more: Verizon or Google!
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
HueyLD wrote:I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.
I received the same email as OP.
I also placed a phone call to SSA. I opted to receive a call-back, which came about an hour later.
I asked my question; she mumbled some short answer. I asked, " Please repeat. I didn't understand the answer." And I was promptly sent onto the 5-minute Customer Satisfaction robot: Press 1 if you were dissatisfied; press 1 if your agent was unclear; press 3 if you questions weren't answered.
Logging into mySocialSecurity, there was a message alert that my password expires in 5 days. So I fed it a new one. And I downloaded my SS file, just in case I'm soon to be locked out.
Their phones must be a-ringin' off the hook today!
+1 for google then. DuckDuck doesn't show that link to me. Even with this search:
"my Social Security" two-factor authentication site:ssa.gov
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
Thanks for all the inputs, I went to the ssa dot gov website, updated the password, and applied for the extra security, now waiting for the upgrade letter to arrive in 5 to 10 business days to complete the process.
mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
HueyLD wrote:I contacted the SSA Help Desk, and have been on hold for about 30 minutes. The awful music is annoying.
I received the same email as OP.
I also placed a phone call to SSA. I opted to receive a call-back, which came about an hour later.
I asked my question; she mumbled some short answer. I asked, " Please repeat. I didn't understand the answer." And I was promptly sent onto the 5-minute Customer Satisfaction robot: Press 1 if you were dissatisfied; press 1 if your agent was unclear; press 3 if you questions weren't answered.
Logging into mySocialSecurity, there was a message alert that my password expires in 5 days. So I fed it a new one. And I downloaded my SS file, just in case I'm soon to be locked out.
Their phones must be a-ringin' off the hook today!
Just did the same thing as Flobes; changed password and downloaded June 2016 personal SSA summary. Done until next year. Thanks for the heads-up, mrc!
mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
The more steps the SMS takes to get to you the less secure it is. The rationale for using the phone system as a second factor is that the phone system is not too insecure, and will probably notice and fix large scale hacks. Adding Google as a link makes it less secure, but not that much less secure. Add a few more email handlers to the link and this starts to look like a bad idea.
everyone disses BoA yet one click has them email a numerical code to complete the log on to my account
ditto Vanguard, easy set up for automated call with a one time recorded code to my landline or cell
Don't it always seem to go * That you don't know what you've got * Till it's gone
It took 6 hours to fix the broken links in this morning's email message. What could possibly go wrong when they shut down to do a system upgrade this weekend?
Me too. This message has the embedded link (to ssa.gov). I still don't use embedded links ...
I obtained a new Google voice number -- just for this but I see other uses for it (thanks for the suggestion).
I logged into SSA and after several attempts to carefully add the info to initiate the process, no dice.
I'll wait them out I guess, 1 August is Monday. If SSA turns this on for the US Population, they will be hammered with customer service calls for months.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
We froze our credit reports due to OPM breech (and do not have a police report). Looks like SSA uses Experian to verify identity. I and my DW's extra settings ability are blocked. My mom's worked (her credit reports are not frozen). Looks like another $10 to unfreeze to get make this happen.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
Lev, I welcome MFA too -- just not with the cell phone text message only restriction. And with three days notice. And a method that takes 5-10 days and necessitates yet another credit unfreeze! I used W-2 info an can't get started. Why must SSA reach out for that info to a frozen credit report?
Who was it that said: security = 1 / convenience
I guess I am just sour over the sudden notice and the inconvenience and expense of compliance.
By the time you know enough to choose a good financial adviser, you don't need one. | bogleheads.org is my advisor: The ER is 0.0% and the advice always solid.
Sorry to hijack the thread, but I've found that a number of authentication services manage to defeat the use of google voice, and declare it an unsuitable number. I have two google voice numbers and this has happened with both. Does anyone understand how/why this happens? Other authentication services text to google voice just fine.
I have not logged on to the SSA site for quite a while because every time I did I had to change the password. Apparently there was a requirement to change the password every 6 months. Does anybody know if this new two-factor Authentication is removing the need to keep changing your password?
I got the email today as well. My wife and I have accounts on the website, and while the new requirements will be a minor inconvenience I immediately struck by the creeping control we all suffer under, which forces us to conform or be left out. Will we be safer because of these changes? Perhaps, but that doesn't diminish the sad realization that more robust security measures like this are necessary to protect us from those who would steal what they didn't earn.
Only SMS based 2-factor. And maybe email based for a similar reason. (Someone intercepting the code.)
I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
drwtsn32 wrote:
I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.
drwtsn32 wrote:
I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.
Hardware keys are more secure albeit at more inconvenience IMO.
While some 2FA mechanisms are better because someone can't intercept the code as it is sent to you, they are all vulnerable to the type of attack where you are presented with a forged logon screen. If that forged logon screen also fakes the 2FA portion, you're still screwed.
Gotta pay attention to logon screens and not click links in those phishy emails!
I am not sure why I would ever need to access the SSA website again. I filed for own record benefits online last year. That was successful, though someone from SSA called me to confirm everything a week or so later. I am planning to apply for widow's benefits at FRA and I already know that can't be done online--it has to be either in-person or phone/mail. (I also know the projected amount of those benefits and they won't change except for COLA, since my late husband's PIA is not going to change.) Because I am already drawing SS prior to Medicare age, I understand that Medicare enrollment in Parts A and B will happen automatically when I approach age 65. I have had the same BoA checking account number for 26 years and don't expect to change my direct deposit arrangements.
Is there any other reason I might want to access my SSA account online again?
Edited to add: I looked at this list. I guess if I want to change my address or request a replacement SS or Medicare card, it might be handy, but that would happen rarely (or possibly never.)
Last edited by dodecahedron on Fri Jul 29, 2016 10:26 pm, edited 1 time in total.
mptfan wrote:You don't need a cell phone to get texts, you just need a phone number and and internet connection. You can get a google voice number for free and get texts over the web, or have the texts sent directly to your email.
I tried this, and it works. Text came both to my cell (forwarded from Google voice) as well as to my email. You can even reply to the email to send a text back to the sender (although not in the case of no-reply texts, obviously).
The NIST decision to disallow SMS-based 2FA is significantly because they don't consider VoIP, such as Google Voice, a secure second factor. Please take a look at the article NIST is no longer hot for SMS-based two-factor authentication referenced earlier in this thread.
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
drwtsn32 wrote:
I prefer using a time based authenticator where it downloads a token only at the time of setting up 2-factor. From then you get your codes without any information being transmitted to you.
How do you feel about physical security keys using U2F? In that case nothing is transmitted to you either, and from what I have read, they are more secure than authenticator apps that generate codes because you need to have the physical security key connected to the computer in order to authenticate, whereas the code generated by an authenticator app can be stolen by phishing or a man in the middle.
Hardware keys are more secure albeit at more inconvenience IMO.
While some 2FA mechanisms are better because someone can't intercept the code as it is sent to you, they are all vulnerable to the type of attack where you are presented with a forged logon screen. If that forged logon screen also fakes the 2FA portion, you're still screwed.
Gotta pay attention to logon screens and not click links in those phishy emails!
Furthermore, hardware keys are not scalable as a general purpose 2FA. One key from the SSA is OK. But how do you manage and distinguish numerous keys for each brokerage, bank, credit card, email account, etc.?
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Dottie57 wrote:Hmm, but don't have texting. Guess it is call the congress critter time.
The SSA, the IRS, and other government services are losing hundreds of millions of dollars a year to fraud. May be even billions. This is a HUGE waste that could be used for providing public services. They MUST harden their cyber security. Those who don't have a text-receiving capability can revert to regular phone calls.
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
mrc wrote:I am all for tight security. But I just received this notice from the SSA (emphasis added). Short notice, and denial of online access without a text-capable device.
<menomena menomena>
I got that email too. I thought it was a fraud, a clever fraud.
Who do they think we are? I don't text. Somebody once tried to teach me how to text, and it was comical. In the name of Akhenaten, texting is for the little people.