On August 1st, 2016, Brian Krebs posted an article on his blog about The Social Security Administration (SSA) and their new “two factor” authentication system. It’s definitely worth reading, but I’m going to summarize a few points:

  1. The SSA is requiring cell-phone based two-factor authentication on all existing accounts on the website ssa.gov.
  2. These requirements do not apply to creating accounts, so bad guys can still steal identities from the uninitiated.
  3. As a demographic, older Americans are the least likely to be comfortable with SMS, so many legitimate users are inconvenienced.

Krebs notes the primary reason for the changes are for compliance:

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.

I am always suspicious of security “features” that emerge because of compliance mandates. It is very easy to find a solution that checks the box without ensuring that it actually solves the problem, or solves it well.

There are a couple of other issues that lead me to believe this may be something of a “checks the box” kind of solution.

First, although the gap is decreasing, the current 65+ demographic uses their mobile devices considerably less than the other age groups. In other words, they are the group that can most easily have their device stolen without notice. While Grandma is in the hospital for a week, untrustworthy family and/or caretakers can access the device quite easily. Although I have no numbers to prove it, I also imagine that the 65+ demographic is also the most likely group to share their credentials with other parties.

In short, this is the least effective age group for this kind of two-factor authentication technology.

Second, many security researchers are beginning to think that SMS-to-phone codes aren’t really two-factor authentication at all. Note this quotation from the linked Wired article:

“SMS has turned that ‘something you have’ into ‘something they sent you,'” says Zdziarski. “If that transaction is happening, it can be intercepted. And that means you’re potentially at some level of risk.”

As a reminder, when we talk about “two factor” authentication, that does not mean any two security measures. For example, having two passwords is not considered “two factor.”

The word “factor” refers to the traditional triumvirate of authentication factors used in computer security:

  1. Something you know (e.g.,  a password)
  2. Something you have (e.g., a unique physical element like a key)
  3. Something you are (e.g., your thumb print)

The most common factor for authentication is “something you know” in the form of a password. For two-factor authentication, the second factor must be either something you have or something you are. In theory, the SMS message to your phone is a second factor authentication of something you have because it is supposed to prove that you have your cell phone. But as security researchers point out, cell phone numbers are very poorly tied to the device.

So, is the SSA’s “two factor authentication” system security theater or not? I’ll refrain from reducing a complex problem to a simple moniker. Nevertheless, I suspect that it’s more successful as a compliance mechanism than in meaningfully reducing known risks to Social Security benefit recipients.