The US Social Security Administration is implementing stronger authentication for Americans accessing their “My Social Security” accounts at ssa.gov.
Beginning June 10, account holders will need a second method to verify identity when they register or sign in. A verification code can be sent by either email or text message.
“Using two ways to identify you when you log on will help better protect your account from unauthorized use and potential identity fraud,” the agency said in a notice on its website. “Since an email address is already required to use my Social Security, everyone can continue to benefit from the features my Social Security provides.”
The idea is to foil identity thieves, who can register an account at the portal using stolen retiree information—all that’s required is name, date of birth, Social Security number, residential address and phone number—all information that can be easily phished or purchased on the Dark Web. Once the account is activated, the victim’s retirement benefits can be hijacked and sent to a bogus bank account or prepaid debit cards.
To create a bigger barrier to entry for crooks, the SSA last year began requiring a mobile phone number for all users; but it quickly did away with the scheme after technical difficulties marred the rollout.
While beefing up log-on measures is always a good idea, some note the measure is a bit toothless.
“The idea that one can reset the password using the same email account that will receive the one-time code seems to lessen the value of this requirement as a security measure,” said independent researcher Brian Krebs. “Notice the SSA isn’t referring to its new security scheme as ‘two-factor authentication,’ which requires the user to supply something he knows and something he is or has. The former is usually a password or PIN; ‘something he is’ most often refers to biometric components (fingerprint, iris scan); whereas the ‘something he has’ factor generally refers to the output of one-time code from a key-fob or mobile app.”
Travis Smith, senior security research engineer at Tripwire, told Infosecurity that the plan is at least a good first step.
“The goal behind this strategy is lowering the complexity to implement multi-factor authentication for all users,” he said. “Even though this process may not be as bullet-proof as implementing two-factor authentication with a separate physical device, it increases the security of the overall system. With the rise of password-stuffing attacks against websites, this is a step in the right direction to help secure the internet.”
Krebs noted that only one account can be created per Social Security number, so registering one’s account on the portal before an identity thief does is a basic way to thwart the bad guys.