Yubikey and the Social Security Administration

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Yubikey and the Social Security Administration

Post by JohnFiscal »

ETA: an update re: SSA site at post # 8

I was excited today when logging into the "My Social Security" account to see that they provide an option to log-in using the "login.gov" method that is used for passports, Global Entry, some FINCEN sites, etc. This was exciting news! I could log into the SSA with my Yubikey and existing login.gov account.

I was able to login via my credentials with login.gov and my registered Yubikey. At this point I was at the SSA site and was prompted for further identity validation (presumably a one-time thing) using 3 items: (1) a state ID (drivers license, etc), (2) [I have to admit, I don't recall what this was and the SSA site is down for maintenance right now], and (3) a telephone number affiliated with one's identity (Google Voice will not work). This is pretty similar to the ID validation to set up my IRS account, to the best of my recollection.

Once set up this should provide a quick and easy entrance into "My Social Security" without having to wait for the code sent to phone or email. I'm not certain that the "code" method can be turned off; if not, then it's possible for someone to hijack entry into the account, just as with an sms code.
Last edited by JohnFiscal on Sun Sep 19, 2021 10:54 am, edited 1 time in total.
Northern Flicker
Posts: 15289
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey and the Social Security Administration

Post by Northern Flicker »

Some or all cell carriers send an sms code to a phone to authenticate a phone number port or sim swap from that phone. If an attacker can read your sms for this purpose, the attacker already has your sms 2FA channel without further ado.

You do need to turn off display of texts without unlocking the phone so that a lost or stolen phone does not display text codes to someone who has it in their possession.

This is still not as secure as a yubikey with no fallback to sms, but SMS 2FA is much less problematic than it used to be if sim swaps and phone number ports are authenticated by sms 2FA.
User avatar
oldcomputerguy
Moderator
Posts: 17878
Joined: Sun Nov 22, 2015 5:50 am
Location: Tennessee

Re: Yubikey and the Social Security Administration

Post by oldcomputerguy »

JohnFiscal wrote: Fri Sep 17, 2021 11:52 pm Once set up this should provide a quick and easy entrance into "My Social Security" without having to wait for the code sent to phone or email. I'm not certain that the "code" method can be turned off; if not, then it's possible for someone to hijack entry into the account, just as with an sms code.
I'm using the "code" method for my SS account, with the code sent to my Gmail account. That account is in turn secured with two non-SMS methods, Yubikey and Google Authenticator.
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey and the Social Security Administration

Post by anon_investor »

oldcomputerguy wrote: Sat Sep 18, 2021 5:47 am
JohnFiscal wrote: Fri Sep 17, 2021 11:52 pm Once set up this should provide a quick and easy entrance into "My Social Security" without having to wait for the code sent to phone or email. I'm not certain that the "code" method can be turned off; if not, then it's possible for someone to hijack entry into the account, just as with an sms code.
I'm using the "code" method for my SS account, with the code sent to my Gmail account. That account is in turn secured with two non-SMS methods, Yubikey and Google Authenticator.
So you can turn off SMS based 2FA for your "My Social Security" account?
User avatar
oldcomputerguy
Moderator
Posts: 17878
Joined: Sun Nov 22, 2015 5:50 am
Location: Tennessee

Re: Yubikey and the Social Security Administration

Post by oldcomputerguy »

anon_investor wrote: Sat Sep 18, 2021 6:29 am So you can turn off SMS based 2FA for your "My Social Security" account?
I believe so. I don't get SMS from them at all, but my wife does on her account. (I tried logging in just now to confirm whether turning off SMS was indeed an option, but their site is down at the moment. :annoyed )
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey and the Social Security Administration

Post by anon_investor »

oldcomputerguy wrote: Sat Sep 18, 2021 6:33 am
anon_investor wrote: Sat Sep 18, 2021 6:29 am So you can turn off SMS based 2FA for your "My Social Security" account?
I believe so. I don't get SMS from them at all, but my wife does on her account. (I tried logging in just now to confirm whether turning off SMS was indeed an option, but their site is down at the moment. :annoyed )
At least that means no one else can get into your account right now either. :P
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Yubikey and the Social Security Administration

Post by JohnFiscal »

This method isn't great for me though. In fact, with my particular situation it will be more trouble than I can actually execute.

To set up access through login.gov the SSA site wants a state issued ID (no problem), a second item that I don't recall (no problem), and a phone number associated with my name, all in order to have myself recognized as myself. It is the last item, the phone, that's the problem. The IRS also has a requirement for the phone when setting up an account. They don't accept Google Voice (or other VOIP numbers) and they didn't like my small company cell phone account. I had to settle for the option for a PIN postal mailed for the house. I imagine the same thing will occur with the SSA log in.

The PIN by postal mail won't work well for me either (my postal mail is forwarded to my sibling in the US while I am now residing in another country. I don't even know if the SSA mail would be forwarded, it might say "Do Not Fforward"). I had to go through this with the IRS to set up my account there and eventually it worked and continues to work well.

I find all this validation of identity interesting. I've had to do all sorts of this here in Canada in the past month, to prove that I am myself, that I'm not a terrorist, or funding terrorists, or laundering money (though I have been known to iron paper bills in the distant past).
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Yubikey and the Social Security Administration

Post by JohnFiscal »

An update about the SSA site. After a lot of downtime the few days it seems that now they are promoting use of the Login.gov procedure; it is promoted to a prominent spot on the log in page. And the "old" registrations are shown as "Accounts created before September 18, 2021"

In fact, it may seems that new registrations are now only being done through Login.gov or the alternate ID.me that they've had for some time.

Likely this is much more secure in both initial registration and on-going log-ins. OTOH, I think it's going to frustrate a lot of people.
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Yubikey and the Social Security Administration

Post by JohnFiscal »

Now that I am finally into the site it seems they have made a lot of changes to the information available. Probably a major event for the SSA site.
User avatar
Kenkat
Posts: 9539
Joined: Thu Mar 01, 2007 10:18 am
Location: Cincinnati, OH

Re: Yubikey and the Social Security Administration

Post by Kenkat »

JohnFiscal wrote: Sun Sep 19, 2021 12:03 pm Now that I am finally into the site it seems they have made a lot of changes to the information available. Probably a major event for the SSA site.
I got an email a few days ago from social security inviting me to log in and see my new, redesigned statement so I suspect you are correct.
User avatar
beyou
Posts: 6868
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Yubikey and the Social Security Administration

Post by beyou »

Logged in the old way and it worked fine.
Don’t see differences though I am not collecting yet.

No interest in using yubikey.
Why does this matter ?
The only risk is if someone could change your direct deposit I would think. Can someone really do this to an account not in your name ? Doesn’t SS notify you and delay to ensure you are aware of and approve of the change ?
User avatar
anon_investor
Posts: 15111
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey and the Social Security Administration

Post by anon_investor »

beyou wrote: Sun Sep 19, 2021 12:48 pm Logged in the old way and it worked fine.
Don’t see differences though I am not collecting yet.

No interest in using yubikey.
Why does this matter ?
The only risk is if someone could change your direct deposit I would think. Can someone really do this to an account not in your name ? Doesn’t SS notify you and delay to ensure you are aware of and approve of the change ?
Sounds like everything is moving towards Login.Gov.
User avatar
beyou
Posts: 6868
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Yubikey and the Social Security Administration

Post by beyou »

anon_investor wrote: Sun Sep 19, 2021 12:50 pm
beyou wrote: Sun Sep 19, 2021 12:48 pm Logged in the old way and it worked fine.
Don’t see differences though I am not collecting yet.

No interest in using yubikey.
Why does this matter ?
The only risk is if someone could change your direct deposit I would think. Can someone really do this to an account not in your name ? Doesn’t SS notify you and delay to ensure you are aware of and approve of the change ?
Sounds like everything is moving towards Login.Gov.
I don’t see any reference to this.
https://www.ssa.gov/myaccount/
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Yubikey and the Social Security Administration

Post by JohnFiscal »

The "new" My Social Security has a lot of new, intriguing features. Even a graphical and tabular control to show your benefits at any age. I found this control locked up in Chrome but worked in Edge; maybe a fluke and I should try again. It was nice that as you created scenarios with taking benefits at different ages they kept all of these in a table; the table clearly shows the effect of the "January rule".

It also has option to include benefits for a spouse. But I found this to be inaccurate and the control for possible ages of spouse were not ready for prime time due to various errors, in my experience.
User avatar
Zardoz
Posts: 140
Joined: Thu Sep 24, 2020 12:25 am

Re: Yubikey and the Social Security Administration

Post by Zardoz »

JohnFiscal wrote: Sun Sep 19, 2021 10:53 am An update about the SSA site. After a lot of downtime the few days it seems that now they are promoting use of the Login.gov procedure; it is promoted to a prominent spot on the log in page. And the "old" registrations are shown as "Accounts created before September 18, 2021"

In fact, it may seems that new registrations are now only being done through Login.gov or the alternate ID.me that they've had for some time.

Likely this is much more secure in both initial registration and on-going log-ins. OTOH, I think it's going to frustrate a lot of people.
Thanks for the heads up on this. It was a good reminder for me to secure my login.gov account with a yubikey. It's unfortunate that login.gov doesn't allow Google Voice numbers but they did let me delete my existing number, so now that account is no longer vulnerable to SIM swap attacks.

I can still login to the https://www.ssa.gov site in the old way, using an email code as the authentication method. (I configured my account to only use email for this, to avoid SMS).

I also tried to login to the https://www.ssa.gov site by using my Login.gov ID but I couldn't get that to work - when I submit the form on the "Please tell us who you are" SSA screen, I get the message below. And then when I follow those instructions I end up back in the same place and it fails in the same way:
An account has already been created with the information you entered.
Select the "Sign in to my account" button below to proceed.
On the next page, enter your username and password or select the "Sign in with LOGIN.GOV" button.
Withdrawal Phase Plan: Equities <= 50% | TIPS, I Bonds | VPW Worksheet | TPAW | Social Security @70
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Yubikey and the Social Security Administration

Post by JohnFiscal »

This is kind of funny (to me). There is the third option to log into My Social Security using the "ID.me" third party system. I had tried to register for this quite awhile ago, I thought it had failed for some reason (not a good phone number, couldn't address credit reports, etc). But for grins I tried it just now and it worked. I had to go through a "video scan" of my face, giving the site permission to use my laptop's camera. This was the funny part, it making some scan. Then it let me right through to the My Social Security (I had previously tapped my Yubikey). I tried again using the Edge browser and it went right through upon tapping the hardware key, no image required. Apparently the image is taken only once as I no longer needed to do this in Chrome.

In any event, my own preference is tapping a hardware key rather than using codes (even though from, say, the Norton authenticator that my Fidelity accounts use instead of sms or email codes).

As an aside, I have handled some Canadian government accounts for my wife's family members for a number of years (rather like IRS and SSA). They provide the alternate option to log in via a "partner website", which are generally large banks and financial firms, you use their log-in credentials.
Last edited by JohnFiscal on Sun Sep 19, 2021 3:05 pm, edited 1 time in total.
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Yubikey and the Social Security Administration

Post by JohnFiscal »

Zardoz wrote: Sun Sep 19, 2021 1:09 pm
An account has already been created with the information you entered.
Select the "Sign in to my account" button below to proceed.
On the next page, enter your username and password or select the "Sign in with LOGIN.GOV" button.
Be sure to only "log in" using the login.gov method. Do not create a NEW My Social Security account. Maybe this was the issue?
User avatar
Zardoz
Posts: 140
Joined: Thu Sep 24, 2020 12:25 am

Re: Yubikey and the Social Security Administration

Post by Zardoz »

JohnFiscal wrote: Sun Sep 19, 2021 2:32 pm
Zardoz wrote: Sun Sep 19, 2021 1:09 pm
An account has already been created with the information you entered.
Select the "Sign in to my account" button below to proceed.
On the next page, enter your username and password or select the "Sign in with LOGIN.GOV" button.
Be sure to only "log in" using the login.gov method. Do not create a NEW My Social Security account. Maybe this was the issue?
Thanks, hmm yes, I'm starting at https://www.ssa.gov/site/signin/en/, selecting "My Social Security", then "Sign into my Account", then "Sign in with Login.gov" then "Use Security Key", then Continue, then I see the SSA Terms of Service screen, then the "Please tell us who you are" screen, then I get the above message. I'm not creating a new SSA account but I do have a pre-existing, working account that I can still log into in the old way. And I can login to login.gov in general. It's just that I can't login to my SSA account via the "Sign in with LOGIN.GOV" button.
Withdrawal Phase Plan: Equities <= 50% | TIPS, I Bonds | VPW Worksheet | TPAW | Social Security @70
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Yubikey and the Social Security Administration

Post by JohnFiscal »

Zardoz wrote: Sun Sep 19, 2021 6:45 pm
Thanks, hmm yes, I'm starting at https://www.ssa.gov/site/signin/en/, selecting "My Social Security", then "Sign into my Account", then "Sign in with Login.gov" then "Use Security Key", then Continue, then I see the SSA Terms of Service screen, then the "Please tell us who you are" screen, then I get the above message. I'm not creating a new SSA account but I do have a pre-existing, working account that I can still log into in the old way. And I can login to login.gov in general. It's just that I can't login to my SSA account via the "Sign in with LOGIN.GOV" button.
That thing is hosed again. It worked for me several times. This morning I tried and got the same situation you encountered; I was using the Edge browser...I couldn't log in by any means using Chrome, just error messages. Both browsers on Windows 10. I was able to log in with the usual username and pw using Safari browser on an iPad.

You'd think they would test this all out pretty thoroughly before releasing.
Topic Author
JohnFiscal
Posts: 1113
Joined: Mon Jan 06, 2014 3:28 pm
Location: US citizen now retired in Canada. Subject to income tax in both.

Re: Yubikey and the Social Security Administration

Post by JohnFiscal »

Zardoz wrote: Sun Sep 19, 2021 6:45 pm https://ssa.tools
From your signature, "https://ssa.tools"

wow, that is a really nice tool. I see it's been mentioned in Bogleheads a few times in the past but I'd not heard of it, to my recollection.

I myself am a bit beyond using it. I want to wait until I'm 70 to draw benefits, in early 2022, so things are almost set in stone. But for a younger person that looks like a great planning tool. Should get more press around here.
User avatar
cowdogman
Posts: 2054
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey and the Social Security Administration

Post by cowdogman »

I just tried this.

First, my login.gov account would not let me setup my Yubikey (it's a current USB-A model)--failed multiple times after asking me to touch my key.

Second, I tried to log in to SSA with login.gov, was asked to fill out personal info (which I did), was then told I already had a SS account (which I do), asked me to login with login.gov, repeat, repeat.

Not ready for prime time.

I'm wondering if I have to deactivate my old SS account first.
Last edited by cowdogman on Mon Sep 20, 2021 3:51 pm, edited 1 time in total.
User avatar
HanSolo
Posts: 2286
Joined: Thu Jul 19, 2012 3:18 am

Re: Yubikey and the Social Security Administration

Post by HanSolo »

JohnFiscal wrote: Mon Sep 20, 2021 9:33 am You'd think they would test this all out pretty thoroughly before releasing.
Hey... that's so 20th century! Cheers...
Strategic Macro Senior (top 1%, 2019 Bogleheads Contest)
RubyTuesday
Posts: 2236
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey and the Social Security Administration

Post by RubyTuesday »

If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
User avatar
cowdogman
Posts: 2054
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey and the Social Security Administration

Post by cowdogman »

RubyTuesday wrote: Mon Sep 20, 2021 5:09 pm If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
Ok, that worked. Thanks.

One thing I noticed (and tested it twice): If you log into SSA with login.gov, when you sign out from the SSA site you are NOT logged out of login.gov. I had to go to login.gov, click the sign in button (which took me right to my home page without asking for a password) and then log out. That will need to be fixed.
RubyTuesday
Posts: 2236
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey and the Social Security Administration

Post by RubyTuesday »

cowdogman wrote: Mon Sep 20, 2021 5:48 pm
RubyTuesday wrote: Mon Sep 20, 2021 5:09 pm If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
Ok, that worked. Thanks.

One thing I noticed (and tested it twice): If you log into SSA with login.gov, when you sign out from the SSA site you are NOT logged out of login.gov. I had to go to login.gov, click the sign in button (which took me right to my home page without asking for a password) and then log out. That will need to be fixed.
Could it be you told it to remember the browser? I’ll check on my end too.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
RubyTuesday
Posts: 2236
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey and the Social Security Administration

Post by RubyTuesday »

RubyTuesday wrote: Mon Sep 20, 2021 6:05 pm
cowdogman wrote: Mon Sep 20, 2021 5:48 pm
RubyTuesday wrote: Mon Sep 20, 2021 5:09 pm If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
Ok, that worked. Thanks.

One thing I noticed (and tested it twice): If you log into SSA with login.gov, when you sign out from the SSA site you are NOT logged out of login.gov. I had to go to login.gov, click the sign in button (which took me right to my home page without asking for a password) and then log out. That will need to be fixed.
Could it be you told it to remember the browser? I’ll check on my end too.
Wow, yes this is a problem. To test, I went to login.gov, logged in, then told it to “forget all browsers” and
logged out.

Went to SSA, used login.gov to login (required yubikey), made sure to not select “remember this browser” and accessed my SSA. Then signed out from SSA, went to login.gov and clicked sign in with login.gov and it took me to my profile without requiring anything.

So I still had active session with login.gov.

They need to fix this..
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
RubyTuesday
Posts: 2236
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey and the Social Security Administration

Post by RubyTuesday »

FWIW, the same thing happens with the CPB trusted traveler site that you can connect.

If you don’t explicitly sign out of login.gov you are not signed out of login.gov when you sign out of partner site.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
User avatar
cowdogman
Posts: 2054
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey and the Social Security Administration

Post by cowdogman »

RubyTuesday wrote: Mon Sep 20, 2021 6:12 pm
RubyTuesday wrote: Mon Sep 20, 2021 6:05 pm
cowdogman wrote: Mon Sep 20, 2021 5:48 pm
RubyTuesday wrote: Mon Sep 20, 2021 5:09 pm If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
Ok, that worked. Thanks.

One thing I noticed (and tested it twice): If you log into SSA with login.gov, when you sign out from the SSA site you are NOT logged out of login.gov. I had to go to login.gov, click the sign in button (which took me right to my home page without asking for a password) and then log out. That will need to be fixed.
Could it be you told it to remember the browser? I’ll check on my end too.
Wow, yes this is a problem. To test, I went to login.gov, logged in, then told it to “forget all browsers” and
logged out.

Went to SSA, used login.gov to login (required yubikey), made sure to not select “remember this browser” and accessed my SSA. Then signed out from SSA, went to login.gov and clicked sign in with login.gov and it took me to my profile without requiring anything.

So I still had active session with login.gov.

They need to fix this..
I think "Remember my browser" just allows you to skip authentication in the future--not skip the password! Thanks for checking.
mggray17
Posts: 231
Joined: Thu Feb 11, 2010 7:09 am

Re: Yubikey and the Social Security Administration

Post by mggray17 »

What are the steps to "Delete" the old account?
I didn't see an easy way to do that within the mysocialsecurity account.
RubyTuesday wrote: Mon Sep 20, 2021 5:09 pm If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
RubyTuesday
Posts: 2236
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey and the Social Security Administration

Post by RubyTuesday »

mggray17 wrote: Tue Sep 21, 2021 7:49 am What are the steps to "Delete" the old account?
I didn't see an easy way to do that within the mysocialsecurity account.
RubyTuesday wrote: Mon Sep 20, 2021 5:09 pm If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
I don’t recall for sure where it was originally when I did it… now I find “Deactivate online account” at bottom of Security Settings page. This may be different prior to using login.gov, not sure.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
User avatar
HanSolo
Posts: 2286
Joined: Thu Jul 19, 2012 3:18 am

Re: Yubikey and the Social Security Administration

Post by HanSolo »

RubyTuesday wrote: Mon Sep 20, 2021 6:12 pm
RubyTuesday wrote: Mon Sep 20, 2021 6:05 pm
cowdogman wrote: Mon Sep 20, 2021 5:48 pm One thing I noticed (and tested it twice): If you log into SSA with login.gov, when you sign out from the SSA site you are NOT logged out of login.gov. I had to go to login.gov, click the sign in button (which took me right to my home page without asking for a password) and then log out. That will need to be fixed.
Could it be you told it to remember the browser? I’ll check on my end too.
Wow, yes this is a problem. To test, I went to login.gov, logged in, then told it to “forget all browsers” and
logged out.

Went to SSA, used login.gov to login (required yubikey), made sure to not select “remember this browser” and accessed my SSA. Then signed out from SSA, went to login.gov and clicked sign in with login.gov and it took me to my profile without requiring anything.

So I still had active session with login.gov.

They need to fix this..
I'll avoid this until they get it working properly. Thanks for the info.
Strategic Macro Senior (top 1%, 2019 Bogleheads Contest)
RubyTuesday
Posts: 2236
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey and the Social Security Administration

Post by RubyTuesday »

HanSolo wrote: Tue Sep 21, 2021 9:51 am
RubyTuesday wrote: Mon Sep 20, 2021 6:12 pm
RubyTuesday wrote: Mon Sep 20, 2021 6:05 pm
cowdogman wrote: Mon Sep 20, 2021 5:48 pm One thing I noticed (and tested it twice): If you log into SSA with login.gov, when you sign out from the SSA site you are NOT logged out of login.gov. I had to go to login.gov, click the sign in button (which took me right to my home page without asking for a password) and then log out. That will need to be fixed.
Could it be you told it to remember the browser? I’ll check on my end too.
Wow, yes this is a problem. To test, I went to login.gov, logged in, then told it to “forget all browsers” and
logged out.

Went to SSA, used login.gov to login (required yubikey), made sure to not select “remember this browser” and accessed my SSA. Then signed out from SSA, went to login.gov and clicked sign in with login.gov and it took me to my profile without requiring anything.

So I still had active session with login.gov.

They need to fix this..
I'll avoid this until they get it working properly. Thanks for the info.
While I think they should correct it, you can still use it securely in my opinion. Just sign out of login.gov after using ssa.gov.

The benefits of having security key is worth it for me.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
User avatar
cowdogman
Posts: 2054
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey and the Social Security Administration

Post by cowdogman »

RubyTuesday wrote: Tue Sep 21, 2021 8:57 am
mggray17 wrote: Tue Sep 21, 2021 7:49 am What are the steps to "Delete" the old account?
I didn't see an easy way to do that within the mysocialsecurity account.
RubyTuesday wrote: Mon Sep 20, 2021 5:09 pm If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
I don’t recall for sure where it was originally when I did it… now I find “Deactivate online account” at bottom of Security Settings page. This may be different prior to using login.gov, not sure.
Log in to MySSA the old way, go to the security tab and scroll down--there is a deactivate account button.
User avatar
HanSolo
Posts: 2286
Joined: Thu Jul 19, 2012 3:18 am

Re: Yubikey and the Social Security Administration

Post by HanSolo »

RubyTuesday wrote: Tue Sep 21, 2021 9:55 am
HanSolo wrote: Tue Sep 21, 2021 9:51 am I'll avoid this until they get it working properly. Thanks for the info.
While I think they should correct it, you can still use it securely in my opinion. Just sign out of login.gov after using ssa.gov.

The benefits of having security key is worth it for me.
I agree with the benefits of a security key (I use one with Vanguard), but another priority is to reduce the amount of time I spend working through glitches caused by undisciplined programmers. It's already quite a lot. Waiting until they release a production-quality version of their system is reasonable.
Strategic Macro Senior (top 1%, 2019 Bogleheads Contest)
User avatar
cowdogman
Posts: 2054
Joined: Sat Dec 16, 2017 6:44 pm
Location: Washington State

Re: Yubikey and the Social Security Administration

Post by cowdogman »

HanSolo wrote: Tue Sep 21, 2021 10:12 am
RubyTuesday wrote: Tue Sep 21, 2021 9:55 am
HanSolo wrote: Tue Sep 21, 2021 9:51 am I'll avoid this until they get it working properly. Thanks for the info.
While I think they should correct it, you can still use it securely in my opinion. Just sign out of login.gov after using ssa.gov.

The benefits of having security key is worth it for me.
I agree with the benefits of a security key (I use one with Vanguard), but another priority is to reduce the amount of time I spend working through glitches caused by undisciplined programmers. It's already quite a lot. Waiting until they release a production-quality version of their system is reasonable.
I do think it is working properly. It's just that there are no clear instructions (that I found) on how to make the switch.

1. Log into MySSA the old way.
2. Deactivate account (on the Security tab).
3. Log into MySSA via login.gov.
4. Enter al the required info and provide security info (I chose to scan my drivers license via a cool (I thought) text exchange with SSA).

That's it. Took about 5 minutes.

As to the logging out problem, as RubyTuesday pointed out that seems to be a common issue (e.g., Trusted Traveler)--so not sure that is ever going to be fixed. Maybe they need a logout.gov.

Now if I could only figure out how to use my Yubikey on login.gov.
RubyTuesday
Posts: 2236
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey and the Social Security Administration

Post by RubyTuesday »

cowdogman wrote: Tue Sep 21, 2021 10:22 am
HanSolo wrote: Tue Sep 21, 2021 10:12 am
RubyTuesday wrote: Tue Sep 21, 2021 9:55 am
HanSolo wrote: Tue Sep 21, 2021 9:51 am I'll avoid this until they get it working properly. Thanks for the info.
While I think they should correct it, you can still use it securely in my opinion. Just sign out of login.gov after using ssa.gov.

The benefits of having security key is worth it for me.
I agree with the benefits of a security key (I use one with Vanguard), but another priority is to reduce the amount of time I spend working through glitches caused by undisciplined programmers. It's already quite a lot. Waiting until they release a production-quality version of their system is reasonable.
I do think it is working properly. It's just that there are no clear instructions (that I found) on how to make the switch.

1. Log into MySSA the old way.
2. Deactivate account (on the Security tab).
3. Log into MySSA via login.gov.
4. Enter al the required info and provide security info (I chose to scan my drivers license via a cool (I thought) text exchange with SSA).

That's it. Took about 5 minutes.

As to the logging out problem, as RubyTuesday pointed out that seems to be a common issue (e.g., Trusted Traveler)--so not sure that is ever going to be fixed. Maybe they need a logout.gov.

Now if I could only figure out how to use my Yubikey on login.gov.
I’m checking now to see if they at least have a session timeout on login.gov so that if you sign out of SSA.gov or Trusted Traveler your login.gov session ends in some timeframe.
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
mggray17
Posts: 231
Joined: Thu Feb 11, 2010 7:09 am

Re: Yubikey and the Social Security Administration

Post by mggray17 »

Thanks. I logged in and looked at every tab and did not see it.
But I do know. Perhaps because it is only a blue font and does not have a box around it, I missed it earlier.
cowdogman wrote: Tue Sep 21, 2021 10:02 am
RubyTuesday wrote: Tue Sep 21, 2021 8:57 am
mggray17 wrote: Tue Sep 21, 2021 7:49 am What are the steps to "Delete" the old account?
I didn't see an easy way to do that within the mysocialsecurity account.
RubyTuesday wrote: Mon Sep 20, 2021 5:09 pm If you already have a mySocialSecurity account using the old login method, you have to delete that account and then create a new account and use the login.gov method.

I did this (with some trepidation that I may get locked out completely), and it worked fine.

I now use login.gov with yubukey and have no sms / phone linked to account.
I tested access with Yubico 5ci on iPad, iPhone, and Mac, and with Yubico 5 NFC (USB A) on Mac.

Worked like a charm.

Oh, as a backup you can also add an authenticator app to generate codes (with 1password or google authenticator).
RT
I don’t recall for sure where it was originally when I did it… now I find “Deactivate online account” at bottom of Security Settings page. This may be different prior to using login.gov, not sure.
Log in to MySSA the old way, go to the security tab and scroll down--there is a deactivate account button.
RubyTuesday
Posts: 2236
Joined: Fri Oct 19, 2012 11:24 am

Re: Yubikey and the Social Security Administration

Post by RubyTuesday »

RubyTuesday wrote: Tue Sep 21, 2021 10:31 am
cowdogman wrote: Tue Sep 21, 2021 10:22 am
HanSolo wrote: Tue Sep 21, 2021 10:12 am
RubyTuesday wrote: Tue Sep 21, 2021 9:55 am
HanSolo wrote: Tue Sep 21, 2021 9:51 am I'll avoid this until they get it working properly. Thanks for the info.
While I think they should correct it, you can still use it securely in my opinion. Just sign out of login.gov after using ssa.gov.

The benefits of having security key is worth it for me.
I agree with the benefits of a security key (I use one with Vanguard), but another priority is to reduce the amount of time I spend working through glitches caused by undisciplined programmers. It's already quite a lot. Waiting until they release a production-quality version of their system is reasonable.
I do think it is working properly. It's just that there are no clear instructions (that I found) on how to make the switch.

1. Log into MySSA the old way.
2. Deactivate account (on the Security tab).
3. Log into MySSA via login.gov.
4. Enter al the required info and provide security info (I chose to scan my drivers license via a cool (I thought) text exchange with SSA).

That's it. Took about 5 minutes.

As to the logging out problem, as RubyTuesday pointed out that seems to be a common issue (e.g., Trusted Traveler)--so not sure that is ever going to be fixed. Maybe they need a logout.gov.

Now if I could only figure out how to use my Yubikey on login.gov.
I’m checking now to see if they at least have a session timeout on login.gov so that if you sign out of SSA.gov or Trusted Traveler your login.gov session ends in some timeframe.
Mixed news from tests…

Good: Login.gov does have a session timeout of 15 minutes
Bad: ssa.gov does not seem to have a timeout of 15 minutes (haven’t tested longer period yet)
Good: while ssa.gov session stays alive over 15 minutes, the login.gov session is not kept alive by ssa.gov, so it appears to still timeout if no further login.gov activity
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
User avatar
HanSolo
Posts: 2286
Joined: Thu Jul 19, 2012 3:18 am

Re: Yubikey and the Social Security Administration

Post by HanSolo »

cowdogman wrote: Tue Sep 21, 2021 10:22 am
HanSolo wrote: Tue Sep 21, 2021 10:12 am I agree with the benefits of a security key (I use one with Vanguard), but another priority is to reduce the amount of time I spend working through glitches caused by undisciplined programmers. It's already quite a lot. Waiting until they release a production-quality version of their system is reasonable.
I do think it is working properly. It's just that there are no clear instructions (that I found) on how to make the switch.

1. Log into MySSA the old way.
2. Deactivate account (on the Security tab).
3. Log into MySSA via login.gov.
4. Enter al the required info and provide security info (I chose to scan my drivers license via a cool (I thought) text exchange with SSA).

That's it. Took about 5 minutes.

As to the logging out problem, as RubyTuesday pointed out that seems to be a common issue (e.g., Trusted Traveler)--so not sure that is ever going to be fixed. Maybe they need a logout.gov.

Now if I could only figure out how to use my Yubikey on login.gov.
I don't think you understood my meaning. Yes, if I read enough comments on Bogleheads (or wherever), I can figure out how to get it to work. No, if the site isn't demonstrating production quality without me having to read the forum, then I don't want to spend the time. I'm not saying that those who do are wrong, just that I have different preferences.

When they've got something that demonstrates production quality then I'll be interested.
Strategic Macro Senior (top 1%, 2019 Bogleheads Contest)
Post Reply