SSA? SOL!

Or: When Security Isn’t.

I recently got an email from the good folks at the Social Security Administration (SSA). They have added a feature that requires you to type in a Security code that they text to your phone every time you want to log in to your “My Social Security” account.

On the face of it, this sounds like a good thing. But it isn’t. Let me count the ways…

1. Texts are inherently insecure. They can be read by your network operator and phone provider. Due to the sheer number of texts passing through the system, this is not such a problem when a one-off secret is transmitted via text (say to validate a new device), but requiring this every time you want to log in is ridiculous.
2. Not everyone has free texts. In order to keep my unlimited data plan (Thanks Verizon!) I have to pay for every text I send or receive. As a result I have texts disabled and use data-based chat apps (like Signal and Threema) to text with friends and family. This means that I cannot use any text-based system.
3. It’s a cheap solution. Texting codes is not security done right, it is security done cheap. There are better ways to do this; one is to use a code generator like Google Authenticator. Another is to use a hardware token like a Yubikey.
4. You have no choice: “If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account.” Translation: Do it our way or leave. Email or voice notification would work fine… but they aren’t offered.

Only the Government could get away with something like this; any private organization that had such a “my-way-or-the-highway” attitude would soon find themselves shuttered. Some other options would be a good idea. Even the option to eschew two-factor authentication entirely is a valid choice if the user is advised of the risks.

Where’s the “Give-me-my-money-back” button?