Justification for the Non-Substantive Changes - 0960-0789

Justification for the Non-Substantive Changes for

Social Security Administration’s Public Credentialing and Authentication Process

20 CFR 401.45, 20 CFR 402

OMB Control Number: 0960-0789

Background

Since we established it in May of 2012, SSA uses the Social Security Administration’s Public Credentialing and Authentication Process (hereafter called “electronic access”) to provide a secure, centralized gateway to Social Security’s public-facing electronic services. On October 17, 2014, President Obama signed an Executive Order (EO) #13681, Improving the Security of Consumer Financial Transactions.  The order focuses on protecting citizens from identity theft and directs federal agencies to provide more secure authentication for their online services.  Specifically, the order requires multifactor authentication by April 2016 for any agency application that accesses personal information.

Currently, SSA has two-factor authentication, but only for customers who have opted to register for extra security (at Level 3 only), which requires the additional verification of financial records. Because of the executive order, SSA is expanding its existing capabilities to require multifactor authentication for every online sign-in (including Level 2 access) and allow for maintenance of the multifactor option for our customers.

Electronic access is the centralized authentication utility for access to the my Social Security (mySSA) public-facing electronic services. Since its release in May 2012, more than 20 million individuals have received mySSA credentials. At the present time, two-factor authentication is optional for mySSA customers. It involves sending a security code by Short Message Service (SMS) to a customer’s confirmed cell phone number. With the July 2016 release, mySSA customers are required to utilize their cellphone as a second factor during the online registration and login authentication processes.

The agency desires to introduce these changes by July 2016, which will support its goal of enhancing security, preventing fraud, and improving security for online services. These changes will necessitate modifications to the language and options on our online, public-facing registration and authentication screens as well as our Registration and Customer Support (RCS) screens that employees use to assist the public to accommodate the new multifactor requirement.

Revisions to the Collection Instrument

(See more specific details about the changes we list below in the attachments.)

• Change #1: Due to the new requirement of having a second factor to authenticate users to the my Social Security website, language changes must be made to the registration and log in screens accordingly.

Justification #1: We are adding language to the Sign In page and the Terms of Service page to inform users before registration or log in that a new requirement is to have a text enabled cell phone.

• Change #2: We are adding a fourth step in the registration process, titled ‘Secure Your Account”.

Justification #2: We now require this to allow users to input the cell phone number on their account for the second step of authentication.

• Change #3: For the ‘Provide Cell Phone Number’ screens, we added language to give a warning notice to inform the customer that an account has been created but a cell phone number is needed in order to access personal information. Also included a ‘What If…’ container with a link to the FAQ’s page.

Justification #3: Some users may not have a cell phone or be aware that this is a new requirement. This added language will give them additional information.

• Change #4: We modified all language on ‘Verify Identity’, ‘Enter Texted Security Code’, and ‘Provide New Cell Phone Number’ screens in accordance with new authentication guidelines.

Justification #4: We modified this language to coincide with the new requirements for multifactor authentication.

• Change #5: We modified the confirmation message screens.

Justification #5: We modified the confirmation message screens to explain that two steps are now required for each log in attempt.

• Change #6: We modified the steps in the account upgrade process.

Justification #6: We modified the account upgrade process to allow the user to enter the One Time Password from the text message before entering the upgrade code on the account.

• Change #7: We made adjustments for users grandfathered into the new process. Grandfathering is a process whereby an individual who holds a my Social Security credential can use possession of this credential as evidence for adding a second factor to the credential, i.e. an individual will be able to bypass the identity-proofing components of the credential issuance/registration process to add a second factor to the credential.

Justification #7: If a user previously had an account, they need to be grandfathered into this new authentication process. In accordance, some screens had to change wording to inform previous account holders of this new process.

Estimates of Public Reporting Burden

We are adjusting the reporting burden to this information collection, because we expect these screen changes to affect customer usage. We also expect the number of respondents or burden hours we reported in our existing burden estimate to change. OMB approved the current burden estimate on 10/24/14.

We estimate that 34,862,391 respondents use the Internet process annually to create and manage an account with SSA and then authenticate to gain access to our secured online services. We estimate that it takes an average of 8 minutes to complete a transaction, resulting in an annual reporting burden of 4,648,319 hours.

We estimate that 2,394,557 respondents use the Intranet process annually to create and manage an account with us. We estimate that it takes an average of 8 minutes to complete this transaction, resulting in an annual reporting burden of 319,274 hours.

We use different modalities to collect the information, via the Internet and the Intranet. We included an estimated number of registrations and sign-ins when we calculated the total number of annual respondents. We calculated a 10% decrease in respondents, as this is the estimated amount of registrations expected to fallout of the process. We estimated the number of minutes for completion by averaging the “time-on-task” figures we obtained from our usability testing.

See chart below with the updated figures:

The total annual burden for this information collection is 4,967,593 hours. This figure represents burden hours, and we calculated a separate cost burden for the respondents (see below for details).

Annual Cost to the Respondents

There may be a cost burden to all respondents, as it will be required to add an SMS text enabled cell phone to the account in order to have access. Each time the respondents log in to access SSA’s secured online services, we send a text message to their cell phone with a code that they must then enter on the web page.

Storage Management Subsystem (SMS) cost -- code sent via text message from SMS to the individual user.

For the user who receives the SMS code and does not have a text plan: the current cost could range from 10 cents to 20 cents per message.

For the user who has a limited text plan: the cost would just be included as part of the plan. We have no way to estimate this cost.

For the user who has an unlimited text plan, there would be no charge. The user would have paid for this service as part of the plan. We have no way to estimate this cost.

It is estimated that 88% of U.S. cell phones have unlimited texting.

Based on our current data, we estimate the respondents will access their account approximately 31,536,310 times annually. This figure is including the deduction of the 10% fallout.

Therefore, we estimate the total number of accesses minus the 10% fallout (31,536,310), minus the percentage of people that have free text messaging plans (27,751,953) with each text message costing an average of 15 cents, for a total of $567,653.55 annually.

Because we cannot be sure of this cost, we are not reporting it in ROCIS (just as we have not reported this cost in ROCIS previously).