Identity Proofing

Here in the United States, the Social Security Administration (SSA) gives us an opportunity to view our Social Security records, so that an error won’t subsequently cause us to lose some of our retirement benefits. In recent years, SSA would mail everyone a statement about once a year. But they have recently switched to an online system.

In order to access the online system, you need to create an account and go through a process called identity proofing to securely associate that account with your Social Security records. For most people, the identity proofing process involves a verification of your credit records (which contain your Social Security Number) and answering some questions to verify that’s who you are. But my wife and I several years ago placed a “freeze” on our credit records to minimize the chances that an imposter would open an account in our names. As a result of that freeze, we weren’t able to use that identity proofing process.

The alternative for us was to go to our local Social Security office for in-person identity proofing. We’re fortunate in that we give just a few miles from the nearest office; this might be quite a burden for some (there are just over 1200 SSA offices nationwide, but some people live far from them, nevertheless).

So my wife and I went to our local office today to get identity proofed. This was our second visit, because we didn’t allocate enough time to wait for service on a previous attempt. After returning to the car to offload my much-too-dangerous Swiss Army Knife, we each took a number.

We were called after about 45 minutes. I did my best not to let on that I was going through this partly as a research project; I wanted to get the standard treatment. I was quite impressed with the thoroughness of the process: I presented my driver’s license and told the agent my Social Security Number. He asked a few questions to further confirm my identity: my city of birth and my father’s and mother’s full names. He did a fair amount of work on his computer, which included entering my street address and phone number.

He then read me a verbal Terms of Service: it was short, and basically said things like that if I used the account fraudulently, they would take it away. There is also apparently a further Terms of Service to agree to when I get to the website (why do we need two?). He also asked me if I was interested in Extra Security: “You may want to add extra security to your account if you have been a victim of domestic violence or identity theft, or have any other reason to believe you need extra security.”  I guess my other reason is that I’m interested in secure authentication; it will send an 8 digit code to my cell phone when I access my account.  This is definitely not foolproof, as others have found, but worth having, so I signed up for it.

He then went to his printer, retrieved 3 pages of instructions, and we were done. The instructions included one-time activation codes for creating my account and adding 2-factor authentication to it (I was surprised that he didn’t enter my cell phone number while I was there). According to the instructions, another copy of the same document will be mailed to me as well. I’m not sure why, and it seems like an unnecessary security risk.

After we left, I compared my experience with my wife’s. She hardly spoke with the agent handling her identity proofing, was not asked any questions about parents’ names or birthplace, and was not offered the Extra Security. Obviously the ceremony isn’t very well standardized.

Upon returning home we both tried to create accounts using our new activation code. The website (http://ssa.gov/setup) times out when trying to access it. I have sent a comment to the website, and hopefully it will be fixed well before January 4, 2015 when the activation code expires.

Update (11/6/2014): The website timeouts seem to be a network problem we experience because we are using IPv6 from home. [Technical details: Path MTU detection seems to be broken on the Social Security website, and we’re on a tunneled IPv6 connection so our MTU is smaller than usual]

When I signed in initially, I had to accept Terms of Service at least twice more, and had to answer three “security” questions for account recovery. It’s silly to have all sorts of requirements about identity proofing and password strength when the backup question might be, “What was the name of your first pet?”

Update 2 (1/16/2015):  I worked with the folks at Social Security to solve the IPv6 problem I had accessing the website. I have described this in another blog post.