Explanation of SSA's Authentication Process

SSA Authentication Process

Remote Enrollment Process
• User must first agree to the Terms of Service and Privacy Act statements.
• Next the user is prompted for the following information:
o Name
o Social Security Number (SSN)
o Address
o Date of Birth (DOB)
o Phone Number (optional)
o Financial account information (optional)
• SSA attempts to verify the user-entered information against our internal records.
• If Name/SSN/DOB combination passes in our records, the following information
is sent to Experian:
o Name
o DOB
o Address
o Telephone Number (if provided)
o Last 8 digits of credit card (if provided)
• Experian provides fraud alert if applicable, address matching information, and
credit card matching information (if provided).
• The user’s address is matched against internal SSA records and Experian records.
• Experian then provides Out of Wallet (OOW) Questions if they can be generated
for the user.
• The user provides answers to the OOW questions.
• The user’s OOW answers are sent back to Experian for scoring. If the user passes
the quiz, he or she will be able to set up his or her account without extra security.
If extra security was requested and those verifications passed, the user is also
mailed an upgrade code that will allow him or her to add extra security once it is
received.
• Account setup involves self-selecting a user name and password, and choosing
and answering three password reset questions. (These are asked if the user forgets
the password, and if answered correctly, enables the user to reset his or her
password without customer service intervention.) The user must also enter his or
her email address in order to receive account notification via email.

1

In Person Enrollment Process
•

•
•

•

•

User provides valid proof of identity with unexpired:

 U.S. State Driver’s License

 U.S. State ID card

 U.S. Passport/Passport card

 U.S. Military ID card (CAC)

 U.S. government employee ID card

ote: If the ID document does not contain address, the user can verbally
provide it.
SSA personnel record the identity document information and verify the
information against internal records.
If the address cannot be verified with internal SSA records, the user is asked
to consent to an Experian verification. The address will be verified with
Experian’s records as long as the user consents.
Depending on the type of ID the user presented and the results of the address
verification, the user may leave the office with the codes necessary to set up
an account, or need to wait for a mailing.
The user will go through the account setup steps remotely. Once he or she
receives the activation code (either handed to user in person or mailed to his
or her address of record), the user may go online and provide name, SSN and
DOB as well as an activation code issued during the in-person transaction.
Once that information is verified, the user can follow the account setup
process detailed in the Remote Enrollment process.

Account Maintenance
• Users may complete any of the following account maintenance functions:
o Change password
o Update contact information, such as email address
o Change password reset questions and answers
o Add or remove extra security
o Deactivate account
• Additionally users may recall a forgotten user name by entering their name,
SSN, and DOB.
• Users may also reset their passwords remotely by supplying their user name
and successfully answering all three of their previously selected password
reset questions. If the user cannot remember those answers, he or she may
also have a temporary password emailed to him or her.
How this meets NIST Standards
• Level 2 – No extra Security
o NIST requires us to collect and verify a government ID number. That is
done in our records when we collect and verify the name, SSN, and DOB.
o NIST requires us to verify an address, which we do. We collect the user’s
home address and either verify it internally or with Experian.
2

•

•

Level 3 – With Extra Security
o NIST requires us to collect and verify a government ID number. That is
done in our records when we collect and verify the name, SSN, and DOB.
o NIST also requires us to collect and verify a financial account number. We
do that and verify either internally or with Experian depending on the type
of financial account information that is supplied.
o NIST requires us to verify an address, which we do. We collect the user’s
home address and either verify it internally or with Experian.
o NIST requires us to issue the credential in a manner that confirms the
address. We do that by mailing the upgrade code to the address of record.
The user does not have a Level 3 credential until that upgrade code is used
and a second factor is bound to the credential. In this case, the second
factor is a text-enabled cell phone. The user is then required to enter the
user name, password, and a randomly generated code sent to him or her
via SMS at every login.
In Person Issuance
o NIST does not require a financial account check for in-person Level 3
issuance, so none is completed. We also follow NIST guidelines regarding
the issuance of the credential based on how the address is verified.

Data Retention
• SSA:
o Uses existing authoritative agency records to confirm the user’s name,
SSN, and DOB. These are already stored in SSA records so they are not
duplicated for the sake of ROME.
o Retains email address to send account notifications to the user.
o Does NOT retain the user’s financial account information, nor do we
retain OOW questions and answers.
•

Experian:
o Experian retains data that the user provides for limited purposes. SSA
transmits information from the user (name, DOB, address, and phone
number). Experian creates a PIN (internal linking key unique to the
consumer). The PIN is used to pull various internal databases to allow for
question generation, score calculation and other result codes. The
consumer is presented with questions, provides answers and a decision is
created for SSA. This information is stored in logs for 6 months online,
then archived for 7.5 years.

o Experian does this to satisfy legal requirements, in which case the PII data
is only retrieved to support inquiries on individual consumers’ behalf to
investigate or dispute a decision. Experian cites the Fair Credit Reporting
3

Act and other regulations. NIST 800-63 guidance provides a retention
period for federal agencies to keep registration data for Level 2 credentials
a minimum of 7.5 years.

4

5