Sep 6, 2016

That Two Factor Authentication Fiasco Was Even Worse Than You Thought

     Last month Social Security introduced two factor authentication for its online systems. Claimants would have to enter a password and then enter a second passcode delivered to them via a text message in order to enter Social Security's online systems. Social Security had to beat a hasty retreat two weeks later as senior citizens protested that they didn't have text access.
     As embarrassing as the two factor authentication seemed, the reality was even worse. Computerworld reveals that in the same month that Social Security introduced two factor authentication, the National Institute of Standards and Technology warned federal agencies not to use two factor authentication.
     Social Security is still requiring two factor authentication for attorneys using its online systems. Can we now dispense with that?

3 comments:

Anonymous said...

Two factor authentication (password plus cellphone) is more secure than one factor authentication (your password). If you would like your communications with SSA to be less secure please say so to your clients first.

NIST said SMS-based authentication is not as secure as other second factors, not that it is worse than no second factor at all. The point of their report was to find better second factors (ever see someone carrying a little beeper like device that puts out ransom numeric codes every few minutes. When you log in you have to enter the code currently showing on the device or you don't get in. That more secrue than SMS).



Mandating a 2nd factor for everyone was an obvious mistake, requiring it for professional attorneys is a no brainer.

Anonymous said...

Charles, next you'll be complaining about how access to SSA is not secure enough.

Anonymous said...

I promise not to pretend to be a lawyer if you pretend not to be a computer security professional. And your headline writing has become very Fox news like.