Social Security describes new online public credentialing and authentication process
In an announcement published in today’s Federal Register, the Social Security Administration requested comments and feedback on a proposed information collection method. Specifically, Social Security is exploring what the best way will be to identify citizens who who wish to access more electronic services benefit information online.
NextGov reported the driving need for this system yesterday: Social Security statements will go online …someday. According to Alan Lane, the agency’s associate chief information officer for open government, the agency has are no specific service plans at this time – nor is there a firm deadline for the statements going online. The Federal Register notice has much more detail and is quoted at length below.
Here’s some additional background, before you dive into the announcement below. For an agency like Social Security, taking careful steps into the Information Age isn’t just wise: it’s mandatory. The agency has enormous amounts of confidential data about American citizens. Rushing online holds considerable risks but carefully engaging there will be inevitable if Social Security is to embrace Gov 2.0.
In 2011, the Social Security Administration ranks as the largest government program by dollars paid in the United States federal government. It surpasses even discretionary defense and Medicare/Medicaid spending in the federal budget. As the 21st century dawns, new technology and a mandate for open government from the Obama administration provide an opportunity for the Social Security Administration to “reboot its relationship with the American people,” as its CIO, Frank Baitman, put it last last year.
Whether Social Security can better deliver on its mission through adopting social media, more data, better e-services and mobile technologies is an open question. Authentication and credentialing of citizens online is an important part of that progress. Online identity is a matter of plumbing, so to speak, but getting it right is no less important than real plumbing in a house.
Leaks are potentially catastrophic.
That’s why the United States national strategy for online identity is both complex and worth watching. Citizens and government alike need this to work if e-government services are to match their offline components. Getting this wrong would be disastrous, given the rise of identity theft across the nation.
Given how many more of those citizens will be retiring in the years ahead, providing e-services may not be a “nice-to-have” option. According to Social Security’s estimates, by 2036, there will be almost twice as many older Americans as today, from 41.9 million to 78.1 million. They’ll want to access their information online. Today, we learned a bit more about how the agency is thinking about getting there.
1. Social Security’s Public Credentialing and Authentication
Process–20 CFR 401.45–0960-NEW. Social Security is introducing a
stronger citizen authentication process that will enable a new user to
experience and access more electronic services.
Authentication is the foundation for secure, online transactions.
Identity authentication is the process of determining with confidence
that people are who they claim to be during a remote, automated
session. It comprises three distinct factors: something you know,
something you have, and something you are. Single-factor authentication uses one of
these factors, and multi-factor authentication uses two or more of
Social Security’s new process features credential issuance, account
management, and single- and multi-factor authentication. With this
process, we are working toward offering consistent authentication
across Social Security’s secured online services, and eventually to
Social Security’s automated telephone services. We will allow our users
to maintain one User ID, consisting of a self-selected Username and
Password, to access multiple Social Security electronic services. This
new process: 1) enables the authentication of users of Social
Security’s sensitive electronic services, and 2) streamlines access to
- Issue a single User Identification (ID) for personal,
business, and governmental transactions;
- Offer a variety of authentication options to meet the
changing needs of the public;
- Partner with an external data provider to help us verify
the identity of our online customers;
- Comply with relevant standards;
- Offer access to some of Social Security’s more sensitive
workloads online, while providing a high level of confidence in the
identity of the person requesting access to these services;
- Offer an in-person process for those who are uncomfortable
with or unable to use the Internet registration process; and
- Balance security with ease of use. New Authentication Process Features:
SSA’s new process will include the following key components: (1)
Registration and identity verification, (2) enhancement of the User ID,
and (3) authentication. The registration process is a one-time activity
for the respondents. The respondent provides some personal information,
and we use this to verify respondent identity. Respondents then select
their User ID (Username & Password). Respondents will log in with this
User ID each time they access SSA’s online services. SSA will also
allow respondents to increase the security of their credential by
adding a second authentication factor.
- Social Security Number (SSN)
- Date of Birth
- Address–mailing and residential
- Telephone number
- Email address
- Financial information
- Cell phone number
- Responses to an identity quiz (multiple choice format
questions keyed to specific data identity thieves will not be able to
- Password reset questions
This collection of information, or a subset of it, is required for
respondents who want to conduct business with Social Security via the
Internet or our automated 800 number. We will collect this information
via the Internet on SSA’s public-facing website. We also offer an in-
person identification verification process for individuals who cannot
or are not willing to register online. We do not ask for financial
information with the in-person process. In addition, if individuals opt
for the enhanced or upgraded account, they will also receive a text
message on their cell phones (this serves as the second factor for
authentication) each time they log into SSA’s online services.
This new authentication strategy will provide a user-friendly way
for the public to conduct extended business with Social Security online
instead of visiting the local servicing office or requesting
information over the phone. Individuals will have real-time access to
their sensitive Social Security information in a safe and secured web