Skip to main content
close search
site logo
Dive Brief

How the Social Security Administration boosted secure user access

Published Sept. 15, 2017
By
Associate Editor
CC0 Public Domain Free for commercial use No attribution required Pexels

Dive Brief:

  • The Social Security Administration uses authentication access controls for internal and external users to guard points of access to sensitive information, said Marti Eckert, CISO of the SSA, at the 2017 Forrester Privacy and Security forum in D.C. Thursday. Multi-factor authentication is required for all employees and end users in order to access agency applications.

  • The agency offers in-house security measures such as mandatory security training for all employees and contractors, personal identity verification cards and role-based information access. Additional integrity protections block employees from accessing their own information.

  • Half of retirement and disability claims are started online, so secure access through multi-factor authentication is necessary. The majority of users opt to receive a one-time code via SMS, while 38% use email. Eckert recognized the flaws of SMS-based delivery systems and said the agency is looking into other methods for the future such as federated identity and biometrics.

Dive Insight:

The SSA pays out $900 billion annually to more than 60 million Americans, on whom it has sensitive information such as social security numbers, lifetime income, benefits, bank account numbers and addresses, said Eckert. The 1,500 offices, 80,000 employees and one-quarter million devices on the agency’s network create countless points of contact with potential security risks to private data.

In January, the SSA decided to limit mailed paper statements to Americans aged 60 and above, requiring the majority of users to inevitably move to the agency’s online platform. But changes to the online platform, such as adding multi-factor authentication, are difficult to roll out with so many users.

The agency began two-factor authentication last fall, but had to quickly roll back the effort after widespread user complaints over the use of SMS, said Eckert. The SSA rolled out email and SMS features this June.

President Donald Trump’s executive order this spring placed the burden of responsibility for cybersecurity and privacy on the heads of federal agencies. According to Ecker, for the agency that boasts "security is our middle name," the mandate did force it to significantly rethink its cybersecurity approach.

Multi-factor authentication is now used in other government agencies. The United States Department of Veterans Affairs requires multi-factor authentication, and users with verified accounts can access more restricted or proprietary services requiring confidence in user identity.

Multi-factor authentication is one of the most straightforward technical approaches to making user account logins more secure. The executive order did not require its use by agencies, but many are likely to adopt the strategy as they bolster system security.

Editors' picks

Company Announcements

View all | Post a press release
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Newgen Recognized in Gartner® Magic Quadrant™ for Enterprise Low-code Application Platforms Fi…
From Newgen Software
October 30, 2024
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell