Bad two factor authentication

Being “of a certain age” there are times when logging into the Social Security website becomes necessary. Their login requires you to enter a code they will either email or text to you. The code expires 10 minutes after they send it. I assume this is an attempt at two factor authentication.

The Email Option

If you chose the email option, the email is sent to the address in your account. This is good as it requires you have access to both the password to your Social Security account and your email account. With decent password management it will require the impersonator to gather more information about you making the task harder.

But the email containing the login code may come from any number of mail servers. In my mail server’s log file I counted three different naming schemes with number suffixes into the high teens. So basically the email is coming from what could be considered a random server and will bounce off the greylisting facility of my mail server. Postgrey whitelisting seems to require fully qualified domain names, so I can’t wild card their servers.

As long as their arbitrary sending email server retried before the login code expired you might have a chance to use email for your Social Security. But their servers seem to wait more than 10 minutes to retry so by the time you get the code, it has expired. So this form of two factor authentication is worthless as it will never work for a person with an email account on a server running standard anti-spam greylisting.

The Text Option

The other option it to get a text with the code. But since there is no phone number associated with my account, they give a form to enter the cell phone number to send the text to. This is it a total fail as far as two factor authentication is concerned: All you need is a person’s Social Security password and a throwaway cell phone to get access to their account. It is no better than simply allowing you to log in with a password alone.