UPDATE (14 August 2016): I’m told that SSA has removed the mandatory cell phone text messaging access requirement that was strongly criticized in the original posting below. I appreciate that SSA has now done the right thing in this case. Perhaps in the future they’ll think these things through better ahead of time!
– – –
If you don’t have a cell phone, or some other means to receive SMS text messages (and have them enabled, and know how to deal with them), you won’t be able to access your Social Security Administration “My Social Security” online account starting next month.
The SSA is currently sending out emails announcing that SSA online users MUST receive an SMS text message with a two-factor authentication code to access their accounts starting in August.
UPDATE (29 July 2016): Here is the official SSA announcement.
UPDATE (14 August 2016): SSA has now deleted this referenced announcement page since they have removed the mandatory cell phone text messaging login requirement, as noted in the update at the start of this posting.
According to Congressional testimony in May, SSA “expects” to make other two-factor methods available at some point in the future.
While the “expectation” of additional two-factor options at some unspecified time down the line is interesting, the move to now block users who do not have cell phones, or text message capable cell phones, or do not have text messaging enabled, or do not know how to access and read text messages — IS UNACCEPTABLE, especially on such short notice to SSA users.
Two-factor authentication systems are very important, but keep in mind that SSA by definition is dealing mostly with older users who may have only recently become comfortable with online services, and may not make any use of text messaging. Many do not have cell phones or somebody to receive text messages for them. There are also many people living in rural areas where cell phone service simply is not available at all!
Additionally — and ironically — text messaging is considered to be a substandard means of receiving two-factor authentications. And — get this boys and girls — NIST (the USA’s National Institute of Standards and Technology) — just a few days ago officially declared that text messaging based two-factor should no longer be used at all — it’s simply not safe and secure. The possibility of crooks leveraging this SSA text messaging system with fake messages targeting this particularly vulnerable user population is also very real.
It appears that SSA has really mucked this one up. This isn’t secure two-factor, it’s a three-ring circus. And it’s going to leave many SSA users out in the cold.
–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
Interesting also as NIST just updated their guidance on 2-factor authentication and SMS is not (generally) acceptable in the future… https://pages.nist.gov/800-63-3/sp800-63b.html
Indeed, as I briefly touched on in the post. Irony, thy name is SSA!
Do you have a cite/url for the SSA requiring SMS/phones?
It apparently has not appeared yet on the SSA site. I’m receiving vast numbers of confirmations from SSA users who have just now received notice in emails from SSA.
Look on the ssa.gov web site. It is all over the place. Also they will not accept international numbers. I just tried.
I used to be able to get into “my social security account”, but lately, when they send the verification code, I never receive the text for the code, I’ve waited up to ten minutes each time. Although it works on my bank and other accounts just fine. Not sure who I would contact about this, as social security phone numbers are just a run around at this time.
Are you specifying that text messages are sent to an actual mobile phone on a major carrier, or to a third-party service of some kind? Some senders refuse to send text messages to other than physical phones with “conventional” mobile carriers. You may ultimately have to bite the bullet and talk to them, at least to change the mobile service specified if that turns out to be necessary to receive the texts.
What if the SSA recipient does not have an email address? They won’t even know they need to be able to get SMS messages.
It may not be currently possible to sign up on the SSA site without an email address in the first place. I don’t know for sure offhand.
Here’s the wording (with personal info redacted) that is being reported to me as being from the content of the SAA email that is now being widely received. The bold text emphasis is mine.
– – – – – – –
Date: Fri, 29 Jul 2016 [ ]
From: Social Security Administration [subscription.service@subscriptions.ssa.gov]
Subject: New step to protect your privacy using my Social Security
To: [ ]
Starting in August 2016, Social Security is adding a new step to protect your privacy as a my Social Security user. This new requirement is the result of an executive order for federal agencies to provide more secure authentication for their online services. Any agency that provides online access to a customer’s personal information must use multifactor authentication.
When you sign in at ssa.gov/myaccount [link] with your username and password, we will ask you to add your text-enabled cell phone number. The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account.
Each time you sign into your account, you will complete two steps:
Step 1: Enter your username and password.
Step 2: Enter the security code we text to your cell phone (cell phone provider’s text message and data rates may apply).
The process of using a one-time security code in addition to a username and password is one form of “multifactor authentication,” which means we are using more than one method to make sure you are the actual owner of your account.
If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account.
If you are unable or choose not to use my Social Security, there are other ways you can contact us …
It would be possible for a computer voice to read you the code number by calling your home telephone. (Not any worse than a text message).
Google for example has SMS two-factor authentication, but also voice phone based as you describe, support for authentication apps that don’t even have to be online, and also FIDO-based security keys. Not only that, but with Google if you choose you don’t even need to reauthenticate by SMS or voice after the first time — Google keeps track of the authentication itself. Google does this all the smart way. SSA is taking the sloppy “SMS is your only option and must be used on every login” way — that disenfranchises large numbers of their users.
I live overseas and although it does not even consider this as an option ( why would anyone live anywhere else!), I bet they won’t text foreign numbers. Short-sighted, last minute, bureaucratic idiots.
Exactly as @Rebecca says, I live overseas, and if SSA will only send texts to US phone numbers, I’ll be completely unable to use this system. I believe this would encompass several million US Social Security participants who live outside of the US.
Lauren, as soon as you have any official announcement – which would hopefully include some contact details – please let us know, so that we can apply our weight against a policy which would disenfranchise us.
thank you.
You get an error on the phone number
Ah, just found it:
https://www.ssa.gov/myaccount/MoreInformationAboutMFA.html
“We encourage our customers who will not be able to access their personal my Social Security account without a cell phone to visit our website at http://www.socialsecurity.gov/agency/contact to learn about other ways to contact us to access their benefits information.”
I sent a complaint through the Contact Us form.
Also now linked from the main post.
Thanks for the link and info Jay, have also sent complaint through Contact form. Let us know if you hear back and will do the same.
SSA replied with “we had ta do it and we hope ta fix it l8r”. (Okay, so, they didn’t speak/write like that, but it sure felt that way).
Note, I was able to set up a Google Voice phone number by temporarily co-opting a US-side mobile phone (and then un-linking that mobile phone from my Google Voice account), and on the Google Voice phone number I *can* receive (by email!) the SMS messages sent by My Social Security to login.
But of course that’s WAY beyond a) reasonable, and b) the wherewithal of many people.
My email to SSA from this link: http://www.socialsecurity.gov/agency/contact
This is a complaint:
So, in order to protect??? our privacy, we will now be forced to provide the Social Security Administration with our cell phone number or we won’t be able to access our “My Social Security” account online? It sounds to me like this is more like an invasion of our privacy by our government rather than protection of our privacy. So, why can’t SSA use security questions, etc. as additional authentication just like banking sites do? I am beyond livid regarding this new requirement. I would appreciate a response! Thank you!
In practice, good 2-factor authentication is actually a very good thing. The problem is that SSA has screwed up the implementation. They should have given far more warning. They shouldn’t be relying only on text messaging, which is generally considered not to be secure and that NIST only a few days earlier announced they would no longer recommend. Other ways to do 2-factor include authentication apps and automated voice phone calls (among others) — the latter in particular can reach virtually anyone even if they don’t have a cell phone or use text messaging. Also, a good 2-factor system won’t require you to use it on every login — it should be able to “remember” that you’re already authenticated on a particular computer (that’s how Google does it). SSA just messed it all up. I should add that security questions are only really applicable in account recovery scenarios — not routine login scenarios — and are widely considered to be a very poor security measure that smart firms are already dropping.
Not just not on any login… it shouldn’t be required at all to “browse” your data (they could avoid displaying personally identifying information such as SSN, address, even name). Then for changing things (signing up for social security, changing address, bank account, email address, etc.) which are likely to be rare, either require stronger authentication at that point or the person can revert to older methods such as visiting the local office.
This is sooo idiotic! Seniors are surely the most likely to not be participating in texting. I know what it’s like just to get some seniors on the web, the long learning curve to find any comfort. They’re just making things more difficult, if not impossible, for many dear people, who need no more frustrations.
It’s 2016, and this is all the reprobate minds in government can come up with, and, if anything, they should be making access easier. It’s not just seniors, either, but anybody with an online account: poof, locked out! It really is moronic and reprehensible. On the other hand, there won’t be anything left in the Social Security fund, once the Neanderthals in Washington with such ideas have run the course they’re on, anyway. If I’m not mistaken, the “trust” fund was long ago looted by Congress, has an I.O.U. sitting in it.
Probably some cell phone companies are slipping politicians cash or paying for sex tourism vacations. Best government money can buy!
SSA sent me an email yesterday (7/29) about an upcoming SMS authentication requirement. It went into SPAM and I thought it must be some kind of phishing scam. I forwarded the email it to their abuse notification address after I couldn’t find any online announcements about this. Plus I had read that this kind of 2-factor security system has serious vulnerabilities.
So today when I tried to sign into mySocialSecurity, it demanded a text capable cell phone number. I guess I’ll have to give it to them but I can’t believe these people are making this mandatory immediately with no alternative methods offered. What are they thinking?!
This is simply disgusting, did the cell phone companies pay somebody in the SSA to force the use of a cell phone on citizens that don’t want it ?
Multifactor Authentication can be implemented with other means and does not need an unsecure cell phone. Cell phone are the most unsecure devices. Who the hell made that decision on the head of all US citizens ?
When I received the email from SSA (my husband did not receive notice yet) I thought it was a scam of sorts. Went to the SSA site and attempted to log in for online account info and it requires a cell and text capability. Gee, it isn’t even August yet. I completed their survey . To proceed in this manner without any public service announcement, and, nothing on the social security site until you attempt to log in, is unprofessional and severely lacking in communications. Senior citizens are one of our most vulnerable population, to require cell phones and texting to “protect” the security of their info. is ludicrous. Is there no accountability, communications within our government?
Yesterday I went to sign in on my SSA Account to download a copy of my benefits letter and I got the page demanding my cell phone number to sign in (I never received the email stating about this new security step). I entered my number and two minutes went by then another two minutes and I never received the text message with the security code. I thought this wasn’t going active until August (Monday). I sent a email to SSA letting them know of my login issue with never receiving that code by text. Did anyone else have this same issue?
I tried to do the same this morning. Same result. Requires you to enter cell phone #. If you do, remember that you must have text messaging permitted for your cell phone account. I don’t use text messaging. Thus it’s a problem in my case.
I had the exact same problem, did the website review and also sent email expressing my frustration with their screw up.
I’m having the same problem David. Not receiving the code! Very frustrating!
I had the same problem, turns out SSA can’t send a text via the Verizon network which is also used by Tracfone and others. Who knows how long it will take the geniuses working for SSA to patch this cluster—k.
I don’t have an issue with the cell # requirement in general, I’m had mine set up with SSA for a # of years already. However when I tried to log in this morning, and of course the site required that I accept a text code that I’d need to enter in order to continue, the text code never came. I waited 10 minutes, which is when the code expires, then clicked the link to resend a new text code. The 2nd text code also never came. I text all the time, so my phone is not the issue, it receives texts daily. But since the SSA codes never came, I am unable to access my info at this time. Great… guess I’ll try again later??????? I need to get in and update my email address, they are sending emails to an account that has been closed down, but I’m fortunately temporarily still able to receive those emails so I got a reminder to update that site’s email info. Somehow missed it when we relocated.
So the way they’re going to prevent “H4kk3rz” from breaking into people’s Social Security account records to commit identity fraud is to make them find an account that doesn’t have a cellphone number associated with it and enter a burner phone number to get a text message, locking out the person whose account it really is? Is Social Security at least checking that the same number doesn’t get used more than once or twice?
Aside from the security issues, and the “old people don’t always know how to use cellphones” aspect, Social Security is primarily intended to keep old people from being severely poor, but many of them still don’t have spare money, and may not think it’s worth spending $40-50 to get a phone and phone number just to check their account on line, especially since cheap phone minutes tend to expire and you might not need the thing again until next year.
I have the same issue…after 30 minutes of frustration, I discovered they are unable to send text messages to Verizon customers. Our tax dollars at work again…or are these our social security dollars being wasted???
On the infrequent occasions when I log into the SSA portal, each page typically takes minutes to render. Minutes. I expect that each page request goes into some massive queue. It’s no surprise to me that whatever machinery they have sending SMS messages is overloaded to a similar degree. But it’s unacceptable.
This new SSA requirement is typical of ignorant Government officials imposing regulations which are not only Unconstitutional, but actually reduce security protection of sites and communications.
Free software to actively “Hack” SMS and MMS messaging is readily available on the internet.
I’d respectfully suggest readers email, phone or write their Congressional Representatives to express their displeasure with this new SSA requirement.
I think the ‘official announcement’ could be considered what was emailed, the link to: https://www.ssa.gov/myaccount/MoreInformationAboutMFA.html doesnt really give any detail & only talks about their so-called reasoning & about MFA. SSA is not using/implementing MFA correctly. Banks & other institutions have taken advantage of it for years (in an appropriate manner) and give users a CHOICE ie. use email, a landline or any phone #, or use a keycode – SSA is not providing a choice. They send an email only 2 days before it’s to take effect 8/1 and it has already taken effect yesterday on 7/30, their site is down today 7/31 for maintenance. They are limiting access to the SSA site and may be providing some added security for those who have cell service, and cell phone, and a cell phone with text – but there are many ways to provide more security — require password change every 4-6 months, provide a login history, provide the option to limit login to a geographic area, be notified by email when an account is logged in to. My small community credit union offers all of these features and more, but our SSA has ‘implemented’ MFA in the most incompetent manner, someone needs to take IT101. I teach college comp sci and am looking forward to using this as an example of how something should not be done & how it can happen even in big government, which is that last place we’d hope it wouldnt. Rather than drawing more users to their site (main objective) they are steering more traffic to their phones & office locations. Great job SSA, congrat’s on a complete failure. Failing to plan is a planned failure – and you have accomplished that.
Here is a copy of the email that was sent out which contains what I consider to be information on what they are doing – https://www.bogleheads.org/forum/viewtopic.php?t=196278
Update: I was finally able to access My SSA Account. I had done some research online and found out from other people having trouble with the new security code text login procedure that they were having to use there secondary phone number they use for Goggle Text. Luckily. I have a secondary phone I have on had for those times I don’t have signal or my primary phone is turned off. Well, I inputted this phone number and I received the text code in less than 2 minutes. Hopefully knowing this will help others having login issues.
The Web site now indicates that Verizon customers are unable to receive the text message with the access code. Great to see our tax dollars at work again…or are these our social security dollars “not working”?
This is what is on the web site:
We have added an extra layer of security for our customers when they interact with us online using the my Social Security suite of services. my Social Security account holders are now required to use their cell phone, in addition to their username and password, as an additional authentication factor during online registration and every sign in. We are working to fix a problem that is preventing Verizon wireless customers from receiving the cell phone security code. Verizon wireless customers are unable to access their personal my Social Security account at this time. Read more about the new authentication process…
Out of curiosity, people who are getting the texts – are they coming from a real number or short code, or from an email address?
Verizon Wireless does signficant ratelimiting on their vtext.com gateway per SMTP server and they are also extremely strict on SPF record validation. I have had to help the Coast Guard with their own similar program (fortunately internal) where they were running up against similar rate limit and SPF checking. I bet they went the “cheap way out” and are just trying to use e-mail->SMS gateways.
Alex
(VZW network tech)
I use Verizon Wireless. On 7/9 I completed the enrollment for 2FA at SSA, and everything still worked for a second “test” login. All of this was before the latest foofaraw that SSA will be requiring 2FA for all logins. Yesterday (7/31) when I tried to log in I get no text messages. Today I get a not-so-helpful “We’re sorry…. We cannot process your request at this time. Please try again later.
If you need immediate assistance: please contact us.” Calls to SSA and ask for Help Desk are summarily dropped cuz “none of our agents are available right now”. Nice going SSA.
Another expat here. I’ve drawn this matter to the attention of Democrats Abroad, an advocacy organization for expats that’s represented in the party and in Washington, hoping the group will take it up. (Republicans have no such organization.)
Sme people where I live have no mobile phone reception at home, because of the topography of our region.
I have tried the following several times, with the same result each time.
Entered username and password.
Entered cell phone number.
Clicked on “Get Text Message”.
After a few seconds, the following message appears:
“We’re sorry… We cannot process your request at this time. Please try again later.”
My father-in-law uses my pc to check his SSA. He doesn’t own a cell phone. Now he will have to give my cell to get texts. Techs know texting is not secure. He must give up his privacy and security because he is on a fixed income and not a techie? Not fair, (hmmm… is this discrimination, too?)
BTW, Verizon has been delivering my texts up to 24 hours late. When does the SSA access code expire. Can’t get mine set up anyway, so point might be moot.
UPDATE: IRONIC! Went to logon to my account today… Yes, they had me enter my cell phone to receive the SMS… BUT (and here’s the ironic part!) THEY NEVER SET UP THEIR OUTGOING SMS!
SO NOBODY CAN LOGON ANYMORE!
I called ssa this morning and was told verizon wireless is not letting texts through. I find this so unprofessional on SSA, my husband I are both disabled and need this information so we can copy it to apply for certain services. The tech had no idea when it will be resolved and nothing more I can do.
Some things are simply impossible to get. As somebody pointed out, should people on fixed incomes, many making a choice between medicine and food, have a cellphone expense? The cheapest service you’ll find is going to run around $100 a year to maintain. For what, pray tell? An annual look at your Social Security statement, if you’re even that enthusiastic? To apply for benefits online, a once in a lifetime event, at the cost of $1,000 over the next ten years?
The SSA website has no good videos, music downloads, no bizarre news, unless it’s some press release of theirs, and they don’t even sell used books or discount vitamins. What makes them think people are going to pay like that, to access a website that’s near useless, when they won’t pay for useful websites? And is anybody going to ripoff money at their website? Again, if even there were any real account jeopardy, they don’t have any money in the first place, as Congress ripped the “trust” fund off, a long time ago. They should have been worrying about congressmen hacking the system, had some safeguards in place to protect the fund from being wiped-out by a different sort of identity theft, like running off with the entire agency, instead of trying to get Grandma on a cellphone she’s reached to near death, without ever needing, who, as it stands, struggles with a TV remote.
You cellphone companies, who’ve sent government officials on trips for some free sex tourism, do you think you’ll break even, that you’re going to find the multitudes rushing out to get cellphones, to be able to use the SSA website? How much did Consumer Cellular pay such a ridiculous commercial?
Thanks for publishing this.
My wife and I are locked out now with no warning.
We live is the woods of Alaska. There are no cell phone towers here. We will never have a cell phone. No one even considered people like us. When I called them, they just said, “Tough luck”
No soup for you
I guess
Today I received an email from SSA: “We’d like to remind you to review your Social Security Statement online. The Statement has important Social Security information and, if applicable, estimates of your future benefits. To view your most recent Statement, please visit http://www.socialsecurity.gov/signin and sign into your account. With instant access to your Social Security Statement at any time, you will no longer receive one periodically in the mail, saving money and the environment. Thank you for Going Green!”
So following the above direction, I go to the MySocialSecurity website, start to log in, then hit the “you have to have a text-enabled cell phone to login” brick wall. What SSA bureaucrat would come up with a process to block seniors from getting access to their account? Guess all there 20 something and 30 something friends have this technology.
Yes, I’ve all ready contacted by local congressional offices in this regard.
The SSA says that most Americans have cell phones, so this requirement should be no burden. But where are the statistics on ownership (and use!) of text-enabled cell phones by Social Security recipients (the disabled and those of us 62+)? Penetration of text-enabled (and users of such ) cell phones in this population has to be much (vastly?) lower than in the age 18-62 general population. Many older SS recipients use computers and email but do not use text-enabled phones. We must now buy one to access our My Social Security accounts (and, to add insult to injury) at our expense for expensive text messages. This is simply a new tax on the elderly, many of whom cannot possibly afford it. And this is now small matter. Have you ever been the victim of identity theft and therefore had to change your SS direct deposit account immediately? Have you ever moved, suddenly, due to a natural disaster and had to change your account address with the SSA? Have you ever been to a SSA office and experienced the awful wait times? How about trying to make change to your SS account on the phone?! This requirement is just nuts for many (most?) SS recipients. AARP, Congress where are you on this issue?!
I have 2 thoughts on this.
1. I’ve never accessed ssa.gov. I already get my disability benefits by ACH, and the yearly tax statement etc comes in the mail. Why would this affect anybody already in the system?
2. This seems to be in violation of the ADA (Americans with Disabilities Act). or is EHS not yet recognized in this country as a disability…?
I will never use a cellphone.
Let’s see…
1. We were happily getting paper Social Security statements.
2. We cooperated and signed up for MySocialSecurity.
3. They thanked us for “Going Green” and cut off our paper statements.
4. Now they cut many of us off from the website unless we cave into this demand.
5. The least they could do is give us back our paper statements, which we can’t even sign in to request (if it’s even possible there).
I’m told that SSA has removed the mandatory cell phone access requirement that was strongly criticized in this original posting. I appreciate that SSA has now done the right thing in this case. Perhaps in the future they’ll think these things through better ahead of time!
Aaaaaand, SSA botched even the removal! They turned off the cell phone additional authentication step that I had so painstakingly set up (using Google Voice).
How **** incompetent are these people? They screwed up by setting the initial requirement for everybody (despite the evident problems with it).
Then they screwed up again by deleting 2-factor for some of us who had either chosen to or found a way to enable it!
One likely possibility is that orders came from “on high” to blow the requirement away as fast as possible, and the simplest way to do that probably meant resetting the entire 2-factor system.
For info, following email rec’d from SSA yesterday:
“On July 30, 2016, we began requiring you to sign into your my Social Security account using a one-time code sent via text message. We implemented this new layer of security, known as “multifactor authentication,” in compliance with a Presidential executive order to improve the security of consumer financial transactions. SSA implemented the improvements aggressively because we have a fundamental responsibility to protect the public’s personal information.
However, multifactor authentication inconvenienced or restricted access to some of our account holders. We’re listening to your concerns and are responding by temporarily rolling back this mandate.
As before July 30, you can now access your secure account using only your username and password. We highly recommend the extra security text message option, but it is not required. We’re developing an alternative authentication option, besides text messaging, that we’ll begin implementing within the next six months.
We strive to balance security and customer service options, and we want to ensure that our online services are both easy to use and secure. The my Social Security service has always featured a robust verification and authentication process, and it remains safe and secure.
We regret any inconvenience you may have experienced.
There is no requirement that you access your personal my Social Security account as a result of the steps we are taking. However, when you do access your account, we encourage you to sign up for the extra security text message option. “
I’m now told that they plan to try again starting in early June, this time offering both text messaging AND email one-time login codes. They note that everyone who uses SSA online is required to have an email address anyway. This is true, and this approach will provide some additional security, but I’ll bet that email delivery delays and related problems once again turn this into a mess. In other words, they’re still doing 2-factor in a Mickey Mouse way.