Hans Kugler[1] >> web sites should not be given your phone number for 2 factor authentication. >> First of all, they don't need your phone number :). Secondly, it's not >> secure. Now the NIST agrees.
So, as if on cue, Date: Fri, 29 Jul 2016 04:43:49 +0000 From: Social Security Administration <subscription.serv...@subscriptions.ssa.gov> Subject: New step to protect your privacy using my Social Security > Starting in August 2016, Social Security is adding a new step to protect your > privacy as a my Social Security user. This new requirement is the result of > an executive order for federal agencies to provide more secure authentication > for their online services. ... > When you sign in at ssa.gov/myaccount with your username and password, we > will ask you to add your text-enabled cell phone number. ... > Each time you sign into your account, you will complete two steps: > Step 1: Enter your username and password. > Step 2: Enter the security code we text to your cell phone (cell phone > provider's text message and data rates may apply). ... > If you do not have a text-enabled cell phone or you do not wish to provide > your cell phone number, you will not be able to access your my Social > Security account. FWIW, Tom Roche <tom_ro...@pobox.com> [1]: http://lists.phxlinux.org/lurker/message/20160727.071321.f24aaba8.en.html --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
