A move by the SSA to strengthen authentication for its site may not be enough.
A move by the SSA to strengthen authentication for its site may not be enough.

Citizens attempting to login to their accounts on the U.S. Social Security Administration website will now be required to offer further proof of their identity, but the enhanced security implementation is receiving mixed reviews.

On a notice on the SSA site, the government agency is announcing that beginning June 10 a second method to verify identity will be required for users registering or signing in "to help better protect your account from unauthorized use and potential identity fraud."

In addition to a username and password, users will now be prompted to enter their email address or a cell number to which a one-time security code will be sent.

But, security expert Brian Krebs, writing on his blog, has reservations about the effectiveness of this method. "The idea that one can reset the password using the same email account that will receive the one-time code seems to lessen the value of this requirement as a security measure," he wrote.

The weakness, he pointed out, lies in the fact that the strategy is not being referred to by the SSA as "two-factor authentication," where a user is verifying identity with a PIN, password or biometric asset.

This new requirement comes nearly a year after the SSA attempted to initiate a method that required users to provide a cell number. That effort was recalled a mere two weeks after its launch following technical difficulties and criticism that the strategy failed to curtail identity thieves from registering for benefits using stolen identities. 

The challenge is that armed with some personal information – a target's name, date of birth, Social Security number, residential address, and phone number – an identity thief can register an account in someone else's name and divert funds. Krebs advised that people register with the site before an identity thief has the chance.

But, some experts argue that the move by the SSA if not a panacea does deliver added protection.

“The goal behind this strategy is lowering the complexity to implement multi-factor authentication for all users," Travis Smith, senior security research engineer at Tripwire, told SC Media on Thursday. "Even though this process may not be as bullet-proof as implementing two-factor authentication with a separate physical device, it increases the security of the overall system. With the rise of password stuffing attacks against websites, this is a step in the right direction to help secure the internet.”

Phil Dunkelberger, CEO at Nok Nok Labs, asks shouldn't we expect more from our government?

"The Social Security Administration is implementing additional authentication steps, arguing that these steps will make the authentication “stronger” and help the SSA “protect what's important to you,” he told SC media on Friday. "Great. They have come to the realization that a simple username and password is not sufficient to protect the retirement assets of millions of Americans."

But, he said, the SSA seems to be missing the lessons learned from other federal organizations and allies."

He pointed to the 2015 breach of the Office of Personnel Management , which saw the release of over 21 million Social Security numbers and over five million fingerprints. "This was a clear indication that databases filled with sensitive information are not a good idea. In 2016, the National Institute of Standards and Technology published guidelines covering “Strong Authentication” that clearly stated that SMS-based second-factor authentication was flawed. Paul Grassi, a senior standards and technology advisor at NIST, specifically said at the time that their message is 'a strong signal to agencies to look for alternative plans. Implement [SMS] at your own risk because of the vulnerabilities we told you about.'”

What is clear is that some federal organizations are getting the message that usernames and passwords are not safe nor secure, Dunkelberger told SC. "And for that, we applaud them. What is also clear is that they may not be listening to nor learning from other federal organizations. NIST provided a recommended list of viable out-of-band authenticators that we highly recommend the SSA take a look at. We know that the federal government is a massive ship of the state and that turning against existing inertia requires significant energy and effort. But much like the recommendations from the just signed Whitehouse EO on Cybersecurity, to make a change that is neither helpful nor advisable by the government's own experts badly misses the mark. We should expect more from our government."


This article was updated on May 12 with comments from Phil Dunkelberger.