Sunday, September 11, 2016

Limits of cyber security

A couple months ago I received an email from Social Security stating that they were enhancing online security. In the future in addition to logging in with a user name and password a one time code sent by text message would be required.

I thought at the time this was going to be a problem. It requires that anybody with an online Social Security account also have a cell phone and know how to receive a text message. This for an agency which primarily deals with older Americans who are less likely to be proficient in multiple new technologies.

Sure enough, I received a new email the other day. There were too many problems with the new text message requirement so Social Security is backing it out. The text message authentication now an option which they encourage users to enable.

As it is, Social Security's online rules don't make sense. Most people don't need to frequently log into Social Security. Those younger than retirement age should log in once a year to check their earnings record. Those who have retired still don't need to log in often. Social Security payments are paid by direct deposit and the related tax statement is sent by postal mail.

So given that most people should lot into Social Security once a year, what has been the Social Security policy for at least the last 5 years or so? Passwords expire every 6 months. If one logs in once a year, one must change the Social Security password every login.

No comments: