login.gov

[zxcvbob]

Last couple of times I've accessed my social security account, they've encouraged me to sign up for a login.gov account for authentication.  I turn 65 in November and just submitted my application for SS and Medicare starting in November.  It looks like soon they will require login.gov.

So I looked at login.gov and if I understand it right they require a 3rd-party 2FA authenticator app.  They recommend Google Authenticator, 1Password, and OTP Manager.  I'm not sure if that's an exhaustive list or if there are others.

Anybody know how this works?  How trustworthy are these apps?  For the time being I am grandfathered to use my userid, password, and a 2FA code sent to my phone.  Needing to have my phone handy is kind of a pain; I'm one of those weird people who doesn't have a phone permanently attached to their body, plus if I lose my phone I don't want to lose access to all my accounts until I find it or get a new one.

[K Frame]

Hum... Interesting.

I'm already using Microsoft Authenticator, but I've not used any of the others. Authenticator works just fine for me.

[Ben]

I hadn't signed in to SS in a while, but just hopped over and saw that I now had the option to use my original SS ID or login.gov. I already have a login.gov account for my uncle sugar stuff, and it just asked me to link the accounts, which was just verifying information, going through a half dozen stupid screens and activation codes, then it linked the accounts and let me in.

I don't have any kind of authenticators installed on my computer - I just go straight to the web pages that require the login.gov ID and enter my credentials.

[cordex]

Anybody know how this works?  How trustworthy are these apps?  For the time being I am grandfathered to use my userid, password, and a 2FA code sent to my phone.  Needing to have my phone handy is kind of a pain; I'm one of those weird people who doesn't have a phone permanently attached to their body, plus if I lose my phone I don't want to lose access to all my accounts until I find it or get a new one.

Multifactor authentication is a really good idea.  Especially for financial accounts.  It provides significant protection against an attack where the attacker is able to compromise the password ... so long as you don't fall for follow-on social engineering attacks.  Yeah, it's not as convenient, but the security tradeoff is massive.  If you have anything worth protecting in an account and it supports MFA you should absolutely use it.

I use Microsoft Authenticator and Google Authenticator myself, but there are other options available as well.  The applications tend to be simple and easy to use.  Some have push notification so when you log in you receive a notice on your phone to approve or block the login.  Others simply require you to provide a 6-9 digit one time passcode that is constantly changing.  Some accounts will allow you to set up multiple MFA authenticators (SMS, additional authenticator apps on other devices, printable one time passcodes, etc.) if you are concerned with being too reliant on a given device.

Also, there is typically a process to recover access to an account if your only authenticator device is lost.

[dogmush]

My login.gov is tied to my CAC card for 2FA, but I do remember seeing some e-mail traffic that some form of 2FA would be mandatory in the near future.

If you don't have a CAC, then the Authenticator app is secure, and pretty easy to use. I have used Microsoft Authenticator and Google Authenticator and they both work fine. 

It may be annoying to need to have your phone handy to login, but it's a result of increasingly capable attacks on our cyber portals.  It is what it is, and folks will need to get used to multi factor authentication to get in to any websites with important data, or that are linked to computer systems with important data.

[Ben]

I must not be understanding something about the authenticators. To be clear, just like on my regular financial accounts, I can't login to SSA or any of the login.gov accounts until I'm sent a security code on my phone. I didn't install separate software for that, Login.gov just does it, and I turned on 2 factor authentication on all the financial accounts manually from the preference settings on those pages.

[dogmush]

Login.gov offers a variety of 2FA options for people.

https://www.login.gov/help/get-started/authentication-methods/

You appear to have text set up as 2FA.  login.gov says thus on that:

Text messages/SMS or phone calls are convenient but are extremely vulnerable to theft, hackers, and other attacks.

If you choose to use this less secure option, enter a phone number at which you can receive phone calls or text messages. If you only have a landline, you must receive your one-time code by phone call. Login.gov cannot send one-time codes to extensions or voicemails.

Authenticator apps tend to be a more secure option because they (at least Microsoft Authenticator, Google Authenticator, and my .mil specific Authenticator) use biometrics to unlock, so there's not a password to be cracked.  Social engineering is still a thing, as Cordex mentioned.

[lee n. field]

Last couple of times I've accessed my social security account, they've encouraged me to sign up for a login.gov account for authentication.  I turn 65 in November and just submitted my application for SS and Medicare starting in November.  It looks like soon they will require login.gov.

So I looked at login.gov and if I understand it right they require a 3rd-party 2FA authenticator app.  They recommend Google Authenticator, 1Password, and OTP Manager.  I'm not sure if that's an exhaustive list or if there are others.

Anybody know how this works?  How trustworthy are these apps?  For the time being I am grandfathered to use my userid, password, and a 2FA code sent to my phone.  Needing to have my phone handy is kind of a pain; I'm one of those weird people who doesn't have a phone permanently attached to their body, plus if I lose my phone I don't want to lose access to all my accounts until I find it or get a new one.

I use Google Authenticator for a bunch of stuff.  Works, backed up to your Google account, so set it up on a new device and the list repopulates.

[lee n. field]

I hadn't signed in to SS in a while, but just hopped over and saw that I now had the option to use my original SS ID or login.gov. I already have a login.gov account for my uncle sugar stuff, and it just asked me to link the accounts, which was just verifying information, going through a half dozen stupid screens and activation codes, then it linked the accounts and let me in.

I don't have any kind of authenticators installed on my computer - I just go straight to the web pages that require the login.gov ID and enter my credentials.

It's not installed on a computer.  It's installed on something else.

2FA --> something you know (password) + something you have. (for most people phone)

[cordex]

SMS is drastically better than no MFA, but not as good as an authenticator app for the reasons dogmush already mentioned.

[Ben]

Okay, I guess I'll need to research the authenticator apps. Google would probably be the most convenient for me, dangit, just as I'm trying to wean myself from Google.

[K Frame]

I have 2 factor for all of my personal financial accounts, but I really wish they they would transition over to authenticator because of of the security issues.

However, I use an encrypted text messaging service. I'm not sure if that's outgoing only or if incoming messages are also encrypted and, if they are, if it enhances the security of the 2FA process.

[K Frame]

Okay, I guess I'll need to research the authenticator apps. Google would probably be the most convenient for me, dangit, just as I'm trying to wean myself from Google.

Google and Microsoft CEOs laugh evilly...

He has to pick one of us...

 WE WILL OWN HIS SOUL!

[Ben]

Google and Microsoft CEOs laugh evilly...

He has to pick one of us...

 WE WILL OWN HIS SOUL!

I'm George Costanza!

https://youtu.be/xJpVyMAlPBs

On the tangent, Ben from ten years ago would be ruthlessly making fun of current Ben for not knowing anything about authentication software. I used to be the guy you went to to ask about stuff like this. Ever since retirement, I've become Johnny Lawrence. 

https://youtu.be/6KGam9wzcEQ

Sometimes I think it's a bad thing, sometimes I think it's a good thing. 

[zxcvbob]

Google and Microsoft CEOs laugh evilly...

He has to pick one of us...

 WE WILL OWN HIS SOUL!

🤣 Exactly my thoughts.  If I pick biometric authentication, where is the bio data stored?  And if it's uploaded to Microsoft do they share it with .gov?  Hopefully it is not stored at all; it's one-way encrypted and then *that* is stored and used as a private key, or something like that

[MillCreek]

I had to use Microsoft Authenticator to log on to the network at work.  I assume that I can also use it for other accounts.

[dogmush]

🤣 Exactly my thoughts.  If I pick biometric authentication, where is the bio data stored?  And if it's uploaded to Microsoft do they share it with .gov?  Hopefully it is not stored at all; it's one-way encrypted and then *that* is stored and used as a private key, or something like that

It's stored locally on your phone.

[HeroHog]

I use my YUBICO USB key I wear around my neck. A backup is stored in my safe.
https://www.yubico.com/products/security-key/

[K Frame]

My company, and my customer, have just gone to RSA tokens for authentication on the networks.

Bit of a pain in the butt because I know need to carry two RSA tokens on my employee lanyard.

Two weeks after I got the company RSA token it did a runner and disappeared. Couldn't find it, so I had to replace it. A few days later my neighbor texted me asking if the RSA token he found in our parking lot was mine. Yep. I was hoping that it still worked, but it had gotten run over and only half the numbers showed up.

So, I took a cue from a coworker and got a badge/RSA token holder from Etsy: https://www.etsy.com/listing/1099414548/updated-for-2024-dual-token-holder-plus?ref=yr_purchases

Nice piece of kit and pretty darned cheap. And it came with a VERY durable retractable cord (cord is wound wire).

Now, though, I hear that we're going to be getting RSA tokens for our classified company networks. That means I'll have an additional two RSA tokens.

Jesus.

[K Frame]

As part of my intent to work with a financial advisor as I get closer to retirement I had to log into my social security account.

I created an account prior to 2021, so I could log in using the old protocols, but I decided to upgrade and ended up signing up for login.gov and downloading Google Authenticator.

It was, overall absolutely seamless.

I did run into one minor connundrum in that login.gov said I already had an account. I don't remember signing up for one, but I changed the password and got everything squared away without too much trouble.

[JTHunter]

MFA may be a good idea but it is a lot simpler (and safer) to just not have that electronic access.

[230RN]

I'm really almost clinically paranoid now about stuff like this lately because I've been bombarded with fake appeals which I can usually check out on the net.

So I get the following e-mail in its entirety and I have one question:

Is it legit?

[quote[

Important Changes to Access Your Social Security

Social Security Administration <subscription.service@subscriptions.ssa.gov>
Jul 19, 2024, 5:21 PM (2 days ago)
to terry

social security administration
Important Changes to Access Your Social Security Account!
Soon you will no longer be able to sign in to your online Social Security account using your Social Security username and password. To access Social Security online services, including my Social Security, you will need to create a Login.gov or ID.me account. 

This change simplifies your sign-in experience and aligns with federal authentication standards while providing safe and secure access to our online services. 

If you are one of the millions of account holders who already use Login.gov or ID.me account to sign in, you do not need to take any action.

To transition your account, please go to “Sign in” at the top of our website and select “Sign in with Social Security Username.” After successfully signing in you will be asked to create an account with Login.gov. Login.gov has 24/7 customer phone and chat support to answer your questions and, if needed, help you with creating your account.

After you successfully link your Social Security username with your new Login.gov account, you will see a confirmation screen and be directed to the service you were attempting to access. You can start using your new Login.gov account to access Social Security online services immediately. Your old Social Security username will no longer be available.

Sign In to Your Account
[/quote]

Paranoid because of ignorance.  Hey, that's the way it goes at my age.  Apologies in advance.

Terry

[zxcvbob]

I'm really almost clinically paranoid now about stuff like this lately because I've been bombarded with fake appeals which I can usually check out on the net.

So I get the following e-mail in its entirety and I have one question:

Is it legit?

[snip]

yes it's legit.  I haven't decided how I'm going to do it; I don't really like either option, perhaps out of ignorance.

[K Frame]

If you're worried about the origin of the e-mail, go directly to the Social Security page at ssa.gov

Don't go through any links in the e-mail.

[230RN]

OK, thanks, good enough.  I also dislike all this "registering" and "signing up," and "logging in," but that's 2024 AD, United States of America.  I've got nothing to hide, there's just a vague principle involved that I can't put my finger on.

I don't think either of my parents had SSNs.  I had to get mine when I got my first job in a supermarket when I was in my mid-teens, as well as a City work permit.

I was surprised when Son1 was born, that "thenadays," they issued "the soash" at birth, and they also took a footprint of the baby.  That latter was a good idea, though.

Aren't there a couple of things in the Bible about "numbering the people?"

But "We register cars, why not people?"

Muchas Danke.