USACM Notes Concerns with Proposed SSA Online Authentication Process

By David Bruggeman

Like many federal agencies, the Social Security Administration (SSA) is trying to provide more services in a time of limited resources. As part of its efforts to better serve the public, the SSA is working on an online authentication system to help ensure that the people it is interacting with online are indeed the people they claim to be, and qualified for the services they are requesting.

To address the first part, the SSA submitted a notice of information collection that is connected to online authentication. The intention is to issue a User ID for everyone seeking to access SSA services online, and several ways to authenticate that identity. (People will still be able to access services in person or over the phone.)

USACM responded to the notice with some concerns over the proposed authentication system. While USACM is encouraged by additional attention to authentication for online services, the proposed system is insufficient.

The information that SSA proposes to collect is, with a little bit of work, publicly available. As described in the comments, the E-Verify self check program suffers from the same problem. It’s not sufficient to use personally identifiable information to provide authentication. Such information must not be widely known or easily knowable. A similar problem comes up in the authentication process. Having a text message sent to a number the person provides can let them know when the account is accessed, but it does nothing to confirm for SSA that the person receiving the text message is the person accessing the account.

USACM’s comments are generally applicable to any information collection intended for authenticating identity.