Or: When Security Isn’t.
I recently got an email from the good folks at the Social Security Administration (SSA). They have added a feature that requires you to type in a Security code that they text to your phone every time you want to log in to your “My Social Security” account.
On the face of it, this sounds like a good thing. But it isn’t. Let me count the ways…
- Texts are inherently insecure. They can be read by your network operator and phone provider. Due to the sheer number of texts passing through the system, this is not such a problem when a one-off secret is transmitted via text (say to validate a new device), but requiring this every time you want to log in is ridiculous.
- Not everyone has free texts. In order to keep my unlimited data plan (Thanks Verizon!) I have to pay for every text I send or receive. As a result I have texts disabled and use data-based chat apps (like Signal and Threema) to text with friends and family. This means that I cannot use any text-based system.
- It’s a cheap solution. Texting codes is not security done right, it is security done cheap. There are better ways to do this; one is to use a code generator like Google Authenticator. Another is to use a hardware token like a Yubikey.
- You have no choice: “If you do not have a text-enabled cell phone or you do not wish to provide your cell phone number, you will not be able to access your my Social Security account.” Translation: Do it our way or leave. Email or voice notification would work fine… but they aren’t offered.
Only the Government could get away with something like this; any private organization that had such a “my-way-or-the-highway” attitude would soon find themselves shuttered. Some other options would be a good idea. Even the option to eschew two-factor authentication entirely is a valid choice if the user is advised of the risks.
Where’s the “Give-me-my-money-back” button?