How the Social Security Administration boosted secure user access
The Social Security Administration uses authentication access controls for internal and external users to guard points of access to sensitive information, said Marti Eckert, CISO of the SSA, at the 2017 Forrester Privacy and Security forum in D.C. Thursday. Multi-factor authentication is required for all employees and end users in order to access agency applications.
The agency offers in-house security measures such as mandatory security training for all employees and contractors, personal identity verification cards and role-based information access. Additional integrity protections block employees from accessing their own information.
Half of retirement and disability claims are started online, so secure access through multi-factor authentication is necessary. The majority of users opt to receive a one-time code via SMS, while 38% use email. Eckert recognized the flaws of SMS-based delivery systems and said the agency is looking into other methods for the future such as federated identity and biometrics.
The SSA pays out $900 billion annually to more than 60 million Americans, on whom it has sensitive information such as social security numbers, lifetime income, benefits, bank account numbers and addresses, said Eckert. The 1,500 offices, 80,000 employees and one-quarter million devices on the agency’s network create countless points of contact with potential security risks to private data.
In January, the SSA decided to limit mailed paper statements to Americans aged 60 and above, requiring the majority of users to inevitably move to the agency’s online platform. But changes to the online platform, such as adding multi-factor authentication, are difficult to roll out with so many users.
The agency began two-factor authentication last fall, but had to quickly roll back the effort after widespread user complaints over the use of SMS, said Eckert. The SSA rolled out email and SMS features this June.
President Donald Trump’s executive order this spring placed the burden of responsibility for cybersecurity and privacy on the heads of federal agencies. According to Ecker, for the agency that boasts "security is our middle name," the mandate did force it to significantly rethink its cybersecurity approach.
Multi-factor authentication is now used in other government agencies. The United States Department of Veterans Affairs requires multi-factor authentication, and users with verified accounts can access more restricted or proprietary services requiring confidence in user identity.
Multi-factor authentication is one of the most straightforward technical approaches to making user account logins more secure. The executive order did not require its use by agencies, but many are likely to adopt the strategy as they bolster system security.
Follow Alex Hickey on Twitter