Social Security’s two-factor authentication launch hits snag

The Social Security Administration quietly launched a two-factor authentication feature last week for online account holders, making personal cell phone numbers a mandatory piece of registration information. 

This additional security measure will help fight fraud and protect user data. But implementation of the extra security layer is already causing some technical difficulties. 

A group of SSA account holders — largely those with Verizon Wireless cellphone numbers — are being locked out of their personal, online Social Security accounts. 

“We are working to fix a problem that is preventing Verizon wireless customers from receiving the cell phone security code. Verizon wireless customers are unable to access their personal my Social Security account[s] at this time,” a statement posted over the weekend on SSA’s website read.

The agency is “currently addressing the problem,” an agency spokesperson told FedScoop, Monday. 

Creation of the two-factor authentication feature was originally spurred from a compliance requirement set forth by Executive Order 13681 — signed by President Barack Obama in October 2014 — which compels federal offices to implement secure authentication for online services.

SSA has said that it uses mobile numbers to send account holders 8-digit security codes via text message. The codes are used during the website login process along with a username and password. The policy change is broadly designed to provide another level of proof, confirming that the individual signing into an account is the same person who also established the multi-factor authentication key. 

“We expect to provide additional options in the future, dependent upon requirements of national guidelines currently being revised,” SSA said in a statement.

Aside from the Verizon Wireless hiccup, the SSA’s addition of two-factor authentication has drawn criticism from prominent cybersecurity blogger Brian Krebs because it does not appear to provide “proof that the person creating an account at ssa.gov is who they say they are.” 

“Sadly, it is still relatively easy [regardless of two-factor authentication] for thieves to create an account in the name of Americans who have not already created one for themselves,” Krebs wrote. “All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.” 

Last week, the National Institute of Science and Technology, or NIST, explained why it was moving away from authentication methods that rely on SMS text messages, partly due to the difficulty of verifying the identity tied to the number. 

Update 8/2/16 2 p.m. : In an email sent this morning, an SSA spokesperson said that the Verizon Wireless login problem has been fixed — “the problem preventing all Verizon wireless customers from receiving the cell phone [SSA] security code is fixed.”