SSA Rolls Back Multifactor Authentication on “my Social Security”

Beyond the Numbers

Tuesday, August 23, 2016
Posted by: 
The Communications Division

If you have a my Social Security account with SSA, you should have received an e-mail from the agency at the end of July that announced a new account security measure.

The added security protection called for new and current my Social Security account holders to sign on to their account with a one-time code sent via text message. The second layer of security, which requires more than a username and a password, is known as “multifactor authentication.”

SSA has always provided the option to add multifactor authentication to my Social Security, but the agency recently required the second sign-on step to comply with an Executive Order related to protecting consumer financial transactions.

However, soon after SSA required my Social Security account holders to have a text-enabled cell phone so they could sign on to their accounts, citizens raised concerns to SSA and the OIG about aged and disabled beneficiaries’ abilities to comply with this mandate.

Because of those concerns raised by the public, SSA earlier this month decided to, temporarily, roll back the multifactor authentication requirement on my Social Security. SSA is notifying all my Social Security account holders about the roll back via email, sending out approximately 1.5 million emails each day to individuals with an account.

For more information on the temporary roll back, please see SSA’s August 15 blog post on this issue, Update to Online Security.

Protecting Information Online

SSA has an ongoing responsibility to maintain strong authentication controls to protect the information accessible through online user accounts.

The my Social Security account provides citizens the ability to update their personal records and access their benefit information online, but these accounts and the information they contain have become targets for identity thieves. In recent years, the OIG has investigated cases involving the fraudulent redirection of Social Security benefits through my Social Security accounts to financial accounts controlled by identity thieves. SSA and the OIG take these investigations seriously, because electronic fraud schemes can affect a significant number of unknowing victims and lead to large Social Security fraud losses.

Also, we continue to work closely with SSA to encourage citizens to establish their own my Social Security account before identity thieves do so fraudulently—if you already have an account, a fraudulent attempt by another person to create an account in your name will be unsuccessful. We also suggest that you regularly monitor your account for suspicious activity and make all efforts to protect your personal information.

Finally, we support SSA in its efforts to develop an alternative authentication option for my Social Security that protects personal information and allows all account holders to access their records without restrictions.