Under Fire, US Social Security Site Changes Security Policy Again

Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."

Re:Social Security is basically 100% insecure

I wonder how many Slashdot users have dealt with user IDs. Either inheriting a crappy User ID system, or implementing their own User ID system. We've all done it probably dozens of times. Reserving enough address space and/or expanding a crappy field into a large enough field is basically second nature to us all.

So why can't the government of the most wealthy country on Earth come up with a better User ID? We can't say it is because they have so much invested in the old system -- because there is no old system. The old system is crappy user id+birthday+random security questions -- and it still doesn't work.

Seriously, how can this have gone on for half as long as it has?

Re:Why does nobody get second factor right?

[93+Escort+Wagon]

The main issue I've run into with all of this is the lack of interoperability - one bank I deal with actually used to offer hardware tokens, albeit from a company I didn't know; my web host supports Google Authenticator; a different bank supports a different soft token; etc. As two-factor authentication gains traction, the annoyance / confusion factor grows.

So I can see why SMS "two-factor" has gained steam. Almost everyone has access to it, and it's Intuitive.

It would be great if a broad consortium of Internet companies (which would have to include Apple, Google, Microsoft, Amazon - plus perhaps the Apache Foundation - at a minimum) would get together and agree on a single standard, or perhaps one acceptable hard token and one acceptable soft token protocol which everyone would support.

Normally I'd say this is exactly what the government should be driving; but very few of us here would trust them on this anymore... and if we don't trust their solution, it would be DOA.

Re:GPL: Intellectual Theft

[clovis]

As a consultant for several large companies, I'd always done my work on
Windows. Recently however, a top online investment firm asked us to do
some work using Linux. The concept of having access to source code was
very appealing to us, as we'd be able to modify the kernel to meet our
exacting standards which we're unable to do with Microsoft's products.

You've made a verbatim copy of a post is at least 14 years old. It may even be older than you are.
https://groups.google.com/foru...

Cell = no way

[markdavis]

Any "security" system that requires disclosing my cell/mobile phone number is an instant and total FAIL. And I am certainly not alone about protecting that which would become the single most annoying device ever (if/when compromised/harvested by marketers).

I find it fascinating how many business and sites now seem to think they have an absolute right to know our cell/mobile phone numbers. Not home, not work, but specifically cell/mobile. I usually have to lie to them and either put in my work number or make up a number. Obviously that won't work if they are trying to use it for text verification.