Update to New Online Security
Reading Time: 1 MinuteLast Updated: November 3, 2023
On July 30, 2016, Social Security began requiring new and current my Social Security account holders to sign into their account using a one-time code sent via text message. This second layer of security that requires more than a username and a password is known as “multifactor authentication.” We recently mandated this second layer of security to comply with the President’s Executive Order on Improving the Security of Consumer Financial Transactions. We implemented it aggressively because we have a fundamental responsibility to protect the public’s personal information.
Our aggressive implementation resulted in some of our customers being unable to access their personal my Social Security accounts. We listened to the public’s concerns, and have temporarily rolled back this mandate.
As before July 30, current account holders will be able to access their secure account using only their username and password. We highly recommend the extra security text message option, but it will not be required. Now, we are developing an alternative authentication option, besides text messaging, that we will implement within the next six months.
We strive to balance security and customer service options, and we want to ensure that our online services are both easy to use and secure. The best way to secure your information is to create a personal my Social Security account. If a person already has an account, a fraudulent attempt to create an account would be unsuccessful. The my Social Security service has always featured a robust verification and authentication process, and it remains safe and secure.
We regret any inconvenience you may have experienced. Open or access your personal my Social Security account today.
Did you find this Information helpful?
Tags: my Social Security, my Social Security account
See CommentsAbout the Author
Comments
Comments are closed.
WILLIAM B.
I am unable to receive text message, therefore I never received the text for the advanced requirement for Social Security I.D. necessary for the new requirements.
Thank you.
William B. Gould
R.F.
hi William. We removed the requirement to use a cell phone to access your #mySocialSecurity account. While it’s not mandatory, we encourage those of you who have a text capable cell phone to take advantage of this optional extra security, which has always been available. We continue to pursue more options beyond cell phone texting. We apologize for any inconvenience you may have experienced.
Susan
Some of the people who posted either don’t speak or read English, or don’t comprehend the language. The post says they are stopping the cell phone texting security option until they can figure out something better in the next 6 months in response to the complaints, yet many posts are stilll complaining about it as if it were still happening. They should have involved those receiving SS by asking how many had cell phones or were able to receive texts, or were planning to do so, but they instead just everyone had cell phones and would be able to use this option. They need to get out in the real world and see that cell phones are not desired by a lot of people. Maybe the millenials are the majority who have all the latest technology, but how many of them have income to support their usage of the technology?
dave j.
It’s simple, they monitor all cell phones routinely, and the layer of security refers to theirs, not your, it gives them another layer of spying on the people of America,they need to keep their fingers on the web as a spider, to react in defense against a government by the people, for the people they need to spend their time on fixing social security, and simple put back the money they sole from all of us~!, it would be more than a solvent account, able to do what it was designed to do, the only reason we have to deal with issues all the time, and not receive our cost of living every year[for those that earned it, not refugees and illegals~!] is because they continue to steal from it, I can’t wait to get a president, and congress and senate, that puts the American interest over all~!, we don’t want a global government, we have chosen the constitution as our rules.We don’t want a failed experiment, no socialism~!!my2¢
Sharon
Thank you so much for changing this. I cannot get any cellphone reception from my home, so am looking forward to your new authentication procedures that hopefully include a phone call to my home line that DOES work.
R.F.
Hi Sharon. We removed the requirement to use a cell phone to access your #mySocialSecurity account, while we continue to pursue more options beyond cell phone texting. We apologize for any inconvenience you may have experienced.
Bill
It’s great that the text response MFA has been rolled back. Several folks advocate email. Both text and email have similar problems – forcing a use of a separate application (email) or device (text). Additional authentication can be far more simply and easily achieved by allowing users to compose a series of 1 sentence challenge questions and answers in their user profiles. These would not be canned questions that the IT departments chooses. Another option is choosing a graphic from a substantial group, one of which was selected by each user and recorded in their profiles. These all allow good challenge/response security options without forcing ‘out of band’ multi-factor authentication.
Lane L.
I looked up the basic definition of multifactor authentication which is “a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know); possession (something they have), and inherence (something they are).”
It seems that MFA doesn’t take place with either the challenge questions or use of graphics when the user enters log on credentials since all represent the “knowledge” category. I can see where SSA came up with the cell phone requirement as that met the “possession” thus MFA is correctly implemented. Unfortunately as we have all seen, too many of us do not have cell phones with text capability for this cell phone requirement to be realistic.
Using email address to send the code should satisfy the “possession” category. After all, smart phones can launch both the browser and the email client in addition to serving as “a cell phone with text capability.”
It would be interesting to see what solution SSA comes up with.
Lane L.
As for the “inherence” category, this is satisfied by “some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.”
This category could not be satisfied in this situation since that would require biometric scanners in addition to the varying transmission speeds of packets through the Internet. Not only that, but I would not consent to installing software on my end to monitor and transmit keystroke activity regardless of whoever has the reins of government at the moment. /wink
Lane L.
I was thinking of typing speed and such when referring to how packets may travel through the Internet and how long each packet takes. I am sure a programming solution can be arrived at to account for this, but that seems to me “programming for programming’s sake not adding any real value …” – and again I would not install such software on my machines. Nah.
Lane L.
> Using email address to send the code should satisfy the “possession” category.
An email account has to be set up. It is tangible – and under the control of the accountholder.
A compromised email account is like having the cell phone stolen. Same difference.
R.F.
We appreciate your comments. We listened to the public’s concerns. We are responding by removing the requirement to use a cell phone to access your personal my Social Security account. While it is not mandatory, we encourage you who have a text capable cell phone to take advantage of this optional extra security, which has always been available. We continue to pursue more options beyond cell phone texting. Thanks!
Lane L.
Arthur Schwarz’s post below indicates use of email address is problematic according to NIST standards for OOB and 2FA authentication. Given this, it would be interesting to see what solution SSA eventually comes up with.
Claire
It is very disturbing that you are considering only those with phones that have texting capabilities as a security measure. What are those of us who don’t have “smart phones” and don’t have texting capability are going to do to get into our accounts?
I agree that you spend all this money putting something in place that lots of seniors who are older don’t have the capability to do, or are not able to understand what it all means.
It would be far better to put that money towards an increase in our S.S. checks which certainly don’t even come close to covering all our expenses and are sometimes the only incomes we have! Rather a waste of your and our time and our money!!!
Robert Y.
As long as your require the use of a cell-phone the new system is defective. [Thousands of users are now no longer able to use the online system.] What about land-line users? What about the use of an e-mail address? If the latter two methods are acceptable to major banks and brokerage firms, it should be acceptable to Social Security.
Sharyn
Social Security aren’t the only ones using that method !!!
James J.
Sad to say in this day and age that where I live we do not have cell phone service. So to us cell phones are no good. No service No phone
Robert Y.
I’ve already brought this defect to the SSA. I’ve also brought this defect to the attention of my US Senator. Perhaps more non-cell phone users need to do the same.
Fahmi N.
I am going to keep saying this hoping that somebody will read my comment and maybe revisit the subject of online accessibility for American who live overseas and have no current US address. I think multifactor authentification is great, but I can not see how type of address will add or subtract from account security.
Please take a look at this unfair exclusion, of not permitting people with no US address to enjoy benefits of online access to their accounts. Thank you.
Tom
You are 100% correct. Why is it that my credit card companies and US banks will accept my overseas cell phone number for authentication but the My SS system only accepts 10 digit phone numbers so it is impossible to include the country code with the cell number? Surely there is a quick fix for this, that is, unless they are TRYING to exclude overseas My SS account holders.
R.F.
Hi Fahmi! We want to assure you that we are constantly exploring ways and working hard to improve the services we offer. Your feedback is greatly appreciated!