Social Security rolls back two-factor mandate

The Social Security Administration is relaxing a recent security directive requiring beneficiaries to use two-factor authentication to log into personal accounts after complaints that the new restrictions hindered user access.

The agency had established a policy of requiring My Social Security account holders to confirm their identities via a text-enabled mobile device. The move was in keeping with an executive order on improving security in consumer financial transactions. The policy, announced July 30, met with complaints from users. Sen. Jeff Merkley (D-Ore.) complained to SSA Commissioner Carolyn Colvin that the policy could limit account access by beneficiaries.

"As many Americans, especially older Americans, do not have a text-enabled cell phone or may be unable to use text messaging, I respectfully ask that the Social Security Administration develop and implement alternative multi-factor authentication methods," he wrote.

Merkley cited Pew data that indicated that just 35 percent of Americans over the age of 65 use text messaging. "With the majority of individuals at or above Social Security retirement benefit age not equipped to text, developing alternative multi-factor authentication methods is crucial to ensuring that all recipients have equal access to their My Social Security accounts," Merkley wrote.

SSA has not come up with a new two-factor verification method. The agency is strongly recommending that users take advantage of the text-message security option, but beneficiaries are able once again to use a simple username and password to access their accounts.

Merkley welcomed the change. "Seniors need improved access to their benefits, not technology-based roadblocks," he said in a statement.

The My Social Security account is a potentially inviting target for hackers and fraudsters. Users can use the accounts to request new Social Security cards, set up direct deposit of benefit payments and change their address for benefit payments and statements.

The lack of a viable two-factor authentication method that is senior-friendly highlights the potential pitfalls of not having a national digital identifier for citizens to transact government business. The United Kingdom took its government digital ID out of beta in May.

In the U.S. it is a different story. Currently 18F, the digital consulting shop at the General Services Administration, has ownership of a plan to build a shared login platform for accessing government services. Before that, agencies were working on their own systems and a centralized effort by the National Strategy for Trusted Identities in Cyberspace, housed at the National Institute for Standards and Technology, focused on giving grants to private sector and academic pilot projects to improve digital authentication.

Former NSTIC chief Jeremy Grant told FCW this May that, "In the U.S., while the White House indicated that all agencies should use the shared service, there have not been any real consequences for agencies that go their own way."