Multi-factor authentication, senior citizens and usability
16 August, 2016
category: Biometrics, Digital ID, Government
The Social Security Administration announced earlier this summer that it was requiring recipients to use text-message based two-factor authentication to access online accounts.
While text-based passwords are far from perfect it’s at least a small step in the right direction to securing accounts that would be a treasure trove of information for fraudsters. But after complaints that some senior citizens either don’t have text-enabled mobile devices or don’t know how to use them they SSA rolled back the mandate and made the authentication technology optional.
“Providing only one method of authentication places an undue burden on recipients who may be unfamiliar with text messaging, may not have a text-enabled phone, or are unable to use text messaging due to disability,” states a letter from Sen. Jeff Merkley (D-Ore.). “According to the Pew Research Center, only 35% of those over the age of 65 use text messaging. With the majority of individuals at or above Social Security retirement benefit age not equipped to text, developing alternative multi-factor authentication methods is crucial to ensuring that all recipients have equal access to their my Social Security accounts.”
The SSA deployed the technology in order to comply with President Obama’s Executive Order, “Improving the Security of Consumer Financial Transactions.” The agency’s budget for the next fiscal year calls for them to deploy another multi-factor technology.
But what will it be? Application-based passcodes – such as Google Authenticator – won’t be any easier for seniors to use, if anything it’s more complex to set up.
The GSA’s 18F is working on a government-wide identity platform but I don’t think it will be fully up and running in the next year. Connect.Gov didn’t make nearly that kind of progress in the same amount of time.
Adaptive access control requires the user to do very little but it requires a pattern of behavior to work off so I don’t know how well it would work with seniors who don’t spend much time online. Could a system that just checks IP-address and behavior, such as time of login be good enough?
Usability of multi-factor authentication technology is still a problem. Text-based OTPs might be one of the easiest to use, but it’s not that secure and if you don’t have a mobile device that accepts text message it’s a non-starter.
As a user of app-based passcodes the user experience has a lot to be desired. App-based solution that send a push-notification to a mobile device and then require a swipe and authenticate on the mobile are a good user experience but if a senior doesn’t have text messages they probably don’t have a smart phone with a data plan.
So as Baby Boomers get older and more services continue to move online what will be the authentication tool of choice? The system will have to be secure but also very easy to use and ubiquitous. The mobile has always been referred to as the identity token of the future but an alternative may be needed to serve seniors now.