New Online Security
Reading Time: 2 MinutesLast Updated: November 3, 2023
We’ve added an extra layer of security for our customers when they interact with us online. Now, my Social Security account holders are required to use their cell phone — in addition to their username and password — as another authentication factor during online registration and every sign in. An authentication factor is information used to determine if someone is who they claim to be.
This extra layer of security is called “multifactor authentication” and complies with an executive order requiring federal agencies to provide more secure authentication for their online services. Any agency that provides online access to a customer’s personal information must now use multifactor authentication.
Since my Social Security became available in May 2012, almost 26 million people have created an account. We have always offered multifactor authentication, but only for customers who opted for extra security. For your protection, we now require multifactor authentication for all my Social Security users. To register and sign in, you must now enter a security code that we will send to your cell phone. Your cell phone provider’s text message and data rates may apply.
Our research shows that an overwhelming majority of American adults have cell phones and use them for texting. Because of technical and resource constraints, we are not currently able to offer alternative methods of satisfying this security requirement. However, we may consider adding more options in the future. We appreciate your patience as we work continuously to secure your online information.
We’re committed to using the best technologies and standards available to protect our customers’ data. Multifactor authentication is just one of the ways we’re ensuring the safety and security of the resources entrusted to us. Visit my Social Security to learn more about this helpful suite of online services, including additional details about our latest security measures.
Did you find this Information helpful?
Tags: my Social Security, my Social Security account
See CommentsAbout the Author
Comments
Comments are closed.
CValner
Not a well thought out plan with very little warning, blocking millions of Social Security recipients from accessing their own online SS account. The vast majority of seniors on Social Security have never texted in their life. Many on fixed income don’t own smart phones, though they probably have basic less-expensive cell phones. Others live in areas with limited cell phone reception, or outside the U.S., or have health or financial issues that prevent them from owning or using cell phones. Others simply don’t want to give out their cell phone numbers for privacy or security reasons. I get enough email spam without inviting cell phone spam. Before, text verification was merely an opt-in choice. Now it is mandatory if you want to use your own SS online account. Most of those posting on the Social Security Administration Facebook page are complaining bitterly about it both to SSA and their Congressmen. Feel free to do the same.
Dennis K.
I’ve had a “my Social Security” account for a long time, which SSA urges everyone to sign up for, to “go green” and to use the special advantages of the online service. There is NO CELL SIGNAL where I live. So you have effectively booted me out of the system, and unjustly so for several reasons. For example: now that I have a “my Social Security” account that I cannot access, apparently I no longer have access to statements except by voice phone request, since your TOS says, “When you create a my Social Security account, you will no longer receive a paper Social Security Statement in the mail.” So you have stated plainly that I will no longer get a statement, but the TOS says you’ll send me notice that there’s one available online, that I can’t get to anymore. The things you brag about being available online that are not available otherwise, are now denied me, after I signed up at your constant urging. About your “other contact options:” when I called SSA after receiving the notice that I was dumped, I spent an hour on the phone, 55 minutes of it on hold, then got dropped. Everybody knows this is not an uncommon experience with all sorts of “phone support” services, government and otherwise. So much for phone contact. As for postal mail or email, concerned as you are about security, I’m sure you would not advise anyone sending their social security number and other identifying information that way, which would be necessary to make any inquiry about my Social Security account. So the “other contact” methods you’ve left me with are not reasonable alternatives to the online service you took away from me and countless others in this unjustly rejected minority living outside your “overwhelming majority of American adults,” as if minorities don’t matter in this country, and as if the government is allowed to deny them service provided to the majority. By the way, a code sent to a cell phone does not prove one’s identity, only that they are in possession of SOMEBODY’S cell phone that they said was theirs. Your TOS does not say I have to own the cell phone or its number (which many people don’t or can’t, but could use another person’s phone to comply with your demand for one. What if someone else’s cell phone is the only one available to a subscriber? Do you run checks to find out whose cell phone number users give you, to confirm it belongs to the subscriber? Your TOS says, “We use the information you give us to verify your identity against our records. We also use an external Identity Services Provider to verify your information against their records.” So, do you attempt to verify who owns the cell phone number? That would be silly, right,l since many people legitimately use phones not registered in their names. So it’s silly to require this form of authentication, because it does not identify a person, just a device. I’ve submitted inquiries to congressional authorities regarding the possibility that you have also gone astray of the Rehabilitation Act by potentially denying access to people unable to use cell phones … unless you want to pay for all such current and future subscribers to get cell phone assistive devices.
Omar A.
In numerous replies here, the SSA representative wrote in this boilerplate answer:
“We are limited to text messages for the initial multifactor authentication (MFA) implementation due to technical and resource constraints. ”
“Technical and resource constraints” — do these constrained resources include competence and ability to plan?
Furthermore, SSA says “We may consider adding additional options in the future.”
Pardon me, this is not something for you to do at your pleasure. You should have considered several options that are routinely used by banks and utility companies for MFA, BEFORE attempting to force your current plan on everyone.
CValner
I agree. SSA should have held an open comments period to receive feedback from the major stakeholders before unilaterally making this very poor decision with minimal notice before blocking millions of Social Security recipients from their own online accounts. The vast majority of seniors on SS have never texted in their lives. Most don’t even own smart phones, though they probably do have basic dumb cell phones.
Keith M.
This is RIDICULOUS. I don’t have a cell phone. If the government requires me to have a cell phone to access my SSA account then they should pay for it.
Jim
If other forms of multi-factor authentication cannot be addressed at this time, then you need to go back to single authentication until you can figure out how to do other forms. Or at least make this optional.
CValner
Text code was optional before SSA unilaterally decided with no open comment period or feedback and little to no notice to make it mandatory, thus blocking millions from their own online accounts. I didn’t receive any notice until after it was in effect.
stephen t.
Thank you so much for this comment sense security update.
Karen
I have a MySocialSecurity account, but I rarely access it. I don’t really have any need to. I do have a cell phone and I can text but I’m not going to jump through these extra hoops to access my information. Why not do what my credit union does and require everyone who calls your office about their MSS account to place a ‘secret word/phrase’ that must be given to the CSR upon starting the call. If the caller (me) can’t provide that information, then the CSR (you) won’t give me any information. Easy Peesy. Yes, I have to call you now if I want info on my account, but that’s what your staff is there for anyway. The on-line service is to relieve some of their work load because of the number of people receiving SS benefits or soon to begin. It just seems like an easy and secure alternative to a stupid text code when so many people don’t have the ability to receive a text message or want to be bothered with that extra layer of so-called account security. But, that’s just me, I guess.
Tim J.
You know if SSA provided e-mail as an alternative to a text message, they would probably still ask every time if your e-mail of record is still valid, and give you a chance to provide a new one. No security there.
This whole thing is about checking off a box for compliance to the executive order and calling it done. If you want to build a bridge you have to first do an environmental impact study. Where’s the SSA customer impact study for this turkey? It was, gee we have 2FA optional already, just make it mandatory and check the box. They’ve lost sight of who their customers are.
Julia B.
This is an unreasonable requirement. I do not have a personal cell phone with text capability and should not be required to get one to access my personal information in a reasonable way for the 21st century. Calling to get the information is not a reasonable alternative – I wouldn’t even know what types of questions to ask if I hadn’t used the online account in the past.
There ARE reasonable alternatives. The code could have been sent to a user-provided e-mail address. That two-factor-authentication method is used by at least one bank with whom I do business. It’s annoying, but it’s better than not having online access to my account. E-mail addresses are free. Text-enabled cell phones are not.
Also, I should not be required to provide a telephone number to the federal government for them to link it to my social security account. My telephone number is none of their business.
More incompetence from the federal government.
Robert G.
I just want to add my comment. I do not have a cell phone, and I am almost 65 years old. Why should I have to spend the money to buy a cell phone and pay for cell service just to access my account? Social Security is supposed to serve people in their 60s and older primarily, yet those are the people who are least likely to have cell phones capable of receiving text messages.
This is one of the most insensitive and stupid policy decisions that I have ever seen a federal agency make.
I have complained to my Senators and congresswoman about this, but I hope SSA will be able to develop other means of authentication (such as email and landline) for sending codes.