Justification for the Non-Substantive Changes - 0960-0789

Justification for the Non-Substantive Changes for

Social Security Administration’s Public Credentialing and Authentication Process

20 CFR 401.45, 20 CFR 402

OMB Control Number: 0960-0789

Background

Since we established it in May of 2012, my Social Security is the Social Security Administration’s Public Credentialing and Authentication Process (hereafter called “electronic access”) used to provide a secure, centralized gateway to Social Security’s public-facing electronic services. On October 17, 2014, President Obama signed an Executive Order (EO) #13681, Improving the Security of Consumer Financial Transactions. The order focuses on protecting citizens from identity theft, and directs federal agencies to provide more secure authentication for their online services.  Specifically, the order requires multifactor authentication for any agency application that accesses personal information.

Currently, SSA has multifactor authentication, but only for customers who have opted to register for extra security (i.e. a Level 3 account), which requires the additional verification of financial records. Because of the executive order, SSA is expanding its existing capabilities to require multifactor authentication for every online sign-in (including a Level 2 account), and allow for maintenance of the multifactor options for our customers.

Since 2012, more than 25 million individuals have received my Social Security credentials. Currently, multifactor authentication is optional for my Social Security customers. It involves sending a security code by text message to a customer’s confirmed cell phone number. Effective April 2017, we are adding email as another multifactor option. With the April 2017 release, we will require all my Social Security customers to input a security code received via email or SMS text message during the online registration and sign in authentication processes, for both Level 2 and Level 3 accounts.

We released the first version of this project on July 30, 2016, and subsequently pulled it back two weeks later to enhance it. The first version of this project received OMB approval of all screen updates and justifications on March 25, 2016. This new version of the project is similar to the first; however, we are now offering email as an additional multifactor option.

Introducing these changes by April 2017 will support the agency’s goal of enhancing security; preventing fraud; and improving security for online services. These changes will necessitate modifications to the language and options on our online, public-facing registration and authentication screens as well as our Registration and Customer Support (RCS) Intranet screens that employees use to assist the public to accommodate the new multifactor requirement.

Revisions to the Collection Instrument

(See more specific details about the changes we list below in the attachments.)

• Change #1: Due to the new requirement for a second factor to authenticate users to the my Social Security website, we must make language changes to the registration and sign in screens accordingly.

Justification #1: We now require users to choose a method to deliver security codes via email or text message. This is necessary to access all accounts as the second step of authentication.

• Change #2: On the ‘Sign In or Create an Account’ screen we added language via the ‘Learn More’ link. On the ‘Get your security code’ screens, we also added language via the ‘Tell me more’ link.

Justification #2: Some users may not be aware that this is a new requirement. We added this additional information to inform the customer that we implemented a new sign in feature.

• Change #3: We created new screens, ‘Get your security code’ and ‘Please enter your security code’ in accordance with new authentication guidelines.

Justification #3: We created these screens to coincide with the new requirements for multifactor authentication.

• Change #4: We modified the confirmation message screens.

Justification #4: We modified the confirmation message screens to explain that we now require two steps for each sign in attempt.

• Change #5: We made adjustments for users grandfathered into the new process. Grandfathering is a process whereby an individual who holds a my Social Security credential can use possession of this credential as evidence for adding a second factor to the credential, i.e. an individual will be able to bypass the identity-proofing components of the credential issuance and registration process to add a second factor to the credential.

Justification #5: If a user previously had an account, they need to be grandfathered into this new authentication process. In accordance, we needed to change the wording for some screens to inform previous account holders of this new process.

• Change #6: When the customers register email as a second factor, we will not email a temporary password.

Justification #6: For security reasons we will not email temporary passwords to those accounts that have email registered as the second factor. We will send the temporary passwords for those accounts through USPS mail.

Estimates of Public Reporting Burden

We are not adjusting the reporting burden to this information collection. We submitted the reporting burden below which OMB approved on 10/13/16. The changes listed above will not affect the currently approved burden.

______________________________________________________________________________

We estimate that 46,140,116 respondents will use the Internet process annually to create and manage an account with SSA and then authenticate to gain access to our secured online services. We estimate that it takes an average of 8 minutes to complete a transaction, resulting in an annual reporting burden of 6,152,015 hours.

We estimate that 2,444,557 respondents will use the Intranet process annually to create and manage an account with us. We estimate that it takes an average of 8 minutes to complete this transaction, resulting in an annual reporting burden of 325,941 hours.

We use different modalities to collect the information, via the Internet and the Intranet. We included an estimated number of registrations and sign-ins when we calculated the total number of annual respondents. We estimated the number of minutes for completion by averaging the “time-on-task” figures we obtained from our usability testing.

See chart below with the updated figures:

The total annual burden for this information collection is 6,477,956 hours.