SS Multifactor Authentication without Cell Service

[GravitySucks]

Darn gummint intruding on my privacy, I'm not even going to give SS my mailing address.

I have an old coworker buddy who helps the homeless. He spent 4 months getting a woman her back owed SS. Her paranoia had made it so that she would not tell SS where she lived and she destroyed her Government issued IDs (Drivers license, SS card, etc.) She lost her apartment and had been living in a clump of bushes in the Texas weather for a couple of years as that paranoia also kept her out of shelters.
Story so far - She ended up getting over $50k in back payments, and he hooked her up with a small apartment and got her to take her meds. Hope it stays a happy ending. Schizophrenia is a b**ch.

 

[harley]

Got the same email today. I'm for better security but this sucks. (Yes more security is usually inconvenient - check out the airports lately?)

Was this a non sequitur? What does what happens at the airports have to do with security? Other than security theater, I guess.

But other than that, you're right. I was in network security for a good portion of my career, and I used to say in my presentations that you can't use security and convenience in the same sentence. This SS change is a pain. If it improves security, that's ok. But I doubt it actually will.

 

[Sunset]

I hope nobody clicked on any link in an email, and instead used their bookmarked menu item to go to SS site.

 

[tulak]

I'm another user of Google Voice. I use it with SS and it works fine.

 

[audreyh1]

I had already set up their two factor cell authentication. But I worried about those who didn't have cellphone. BTW any number could have been used and a voice option for a message, or email. I don't understand the cell with SMS constraint.

 

[donheff]

Interesting thread. I can understand NIST's concerns about SMS. But I haven't kept up with Google Authenticator. I used Google's initial version of two factor authentication but that involved keeping a paper list of passcodes with you and remembering to periodically add more - what a PITA. The Authenticator app sounds more like RSA secure key. Since I almost always have cell phone with me I think I will give it a try.

 

[bUU]

Government at its best!

I'm not sure what reasonable alternatives there might be, given the reality of limited resources and unlimited threats.

Guess SS and NIST don't get along very well

NIST couldn't care less about the cost of what they propose, or how readily accepted it would be by citizen-users. They weight absolutes - and objectively they are of course correct - but we don't live in an objective world where objective reality dictates the politics that fosters the resources available to run the country, nor the logistical realities either.

I know you can get text messages with a lot of phone services now but not sure how it would work.

My Xfinity home phone received TXTs but sometimes when I try to enter it as a mobile number to receive TXTs it is refused.

 

[target2019]

I'm not sure what reasonable alternatives there might be, given the reality of limited resources and unlimited threats.NIST couldn't care less about the cost of what they propose, or how readily accepted it would be by citizen-users. They weight absolutes - and objectively they are of course correct - but we don't live in an objective world where objective reality dictates the politics that fosters the resources available to run the country, nor the logistical realities either.

This makes me think I'll be sitting in a chair someday with multiple MFA devices in addition to a cellphone or two. Some institutions will continue with cell text MFA, while gov't will issue national chip and PIN cards that are readable by my new cornea.

 

[bUU]

Having seen the inside of what went into tying together disparate systems in the interest of ACA applications, that seems likely. We like to think there are easy answers, but the reality is that that's only the case when one person tells everyone what to do. Barring that, in a consensus-driven environment where there are different perspectives that all have primacy within their own spheres, things are not so easy.

 

[MBSC]

Text was the easiest to implement before the mandated deadline. Look for other methods to become available later.

Statement of Carolyn W. Colvin,
Acting Commissioner,
Social Security Administration
May 26, 2016

...we are changing our current multifactor authentication process for my Social Security from optional to mandatory for all users. Upon implementation this summer, all customers must enter a username, password, and a one-time passcode texted to a registered cell phone in order to access their my Social Security account. In the future, we expect to offer additional multi-factor options, pursuant to Federal guidelines.

Source: https://www.ssa.gov/legislation/testimony_052616.html

 

[Tadpole]

I ran into a lot of talk about NIST depreciation of SMS for authentication. This is an explanation. The larger problem seems to be the Google solution and VOIP.


Questions…and buzz surrounding draft NIST Special Publication 800-63-3 | NSTIC NOTES


I admit ignorance here that I think my fellow early-retire engineers could clarify. What makes SMS a different venue. I guess I am asking how SMS is separate and distinct from using a non-WiFi connection on my phone browser? My knee-jerk reaction to not offering a email option was - well, I could be on my phone bank app or phone browser and receiving the SMS on that same phone so why not email delivered to the same computer as my browser session asking for the code. (Same logic with robo-call which is also not an option.)

 

[target2019]

MMS can originate from, or be received by, non-phone. Therefore, no way to establish non-repudiation of identity on both ends.
SMS Text message is more secure because of how it travels end-to-end through carriers. That's my explanation. The mode of transmission and carry is different, but seems almost the same to end user.

 

[lemming]

I hope nobody clicked on any link in an email, and instead used their bookmarked menu item to go to SS site.

I worried about that too. How did I check it out? I came to this forum to see what you guys thought. That kind of email is great vehicle for scam.
I now have a smart phone but so far it is smarter then me.

 

[tmm99]

What are the chances that it will work with an international number? Lots of expats live overseas.

I was wondering about the same thing. Does anybody know?

 

[jonat]

SSA accepts only a "10-digit number" here, so US only.

 

[tmm99]

SSA accepts only a "10-digit number" here, so US only.

Well, then, Canada numbers are OK? (Canada numbers look just like US numbers except the 3-digit area codes are Canadian area codes...)

 

[jonat]

Ok, North America. It doesn't say explicitly.

 

[Animorph]

Wasn't able to get SS to accept my login today in order to give them my cell number. They sent out the code OK, and I received it, but the website said there was an error and wouldn't let me enter the code.

I tried to set it up with Fidelity also, but Fidelity says they don't support my carrier (probably meaning Google Voice).

So 0 for 2 today.

 

[redshift]

I finally got it to accept my Google Voice number and send the code. For a while it wouldn't even process my regular cell phone number. Their system may be slammed with folks trying to update their logins?

 

[Tadpole]

Anyone try Google Voice with Vanguard?

 

[gauss]

I received the following error when I attempted to login to My SS this morning. This message was shown after I was prompted to enter a 10 digit cell phone number.

I am not sure at this point if the system is overloaded, or if they do not like my Google voice number that I provided.

-gauss

EDIT- Update - 15 minutes later or so I did receive an SMS message on my Google Voice number that I provided. It was of the form "YOUR SECURITY CODE IS ######## ". I still don't have anywhere to enter it in that the web site already faulted out with the message shown below. I guess this is a good sign suggesting that the current problems may be capacity related and not specific to my Google Voice number.

We're sorry...


We cannot process your request at this time. Please try again later.


If you need immediate assistance: please contact us.

 

[gauss]

Anyone try Google Voice with Vanguard?

Yes I use my GV number all the time with my Vanguard account. I keep my Vanguard account set to "this is a public computer" so it prompts me every time.

 

[easysurfer]

Wasn't able to get SS to accept my login today in order to give them my cell number. They sent out the code OK, and I received it, but the website said there was an error and wouldn't let me enter the code.

I tried to set it up with Fidelity also, but Fidelity says they don't support my carrier (probably meaning Google Voice).

So 0 for 2 today.

Had the same issue trying to login to SSA with the code sent soon, but error message and no place to enter the code. I already had my account set up with my mobile awhile back so didn't need to do any assigning my phone today.

Worked fine months earlier. Maybe the "improvement" broke something . Looks like I'll try again in a week or two .

 

[jonat]

I was getting the same error on the SSA site, but I just retried a minute or so later and it was fine. It looks as if they have some capacity issues with their SMS gateway.

 

[Huston55]

Seems to be working now. Just completed registration.