In an announcement published in today’s Federal Register, the Social Security Administration requested comments and feedback on a proposed information collection method. Specifically, Social Security is exploring what the best way will be to identify citizens who who wish to access more electronic services benefit information online.

NextGov reported the driving need for this system yesterday: Social Security statements will go online …someday. According to Alan Lane, the agency’s associate chief information officer for open government, the agency has are no specific service plans at this time – nor is there a firm deadline for the statements going online. The Federal Register notice has much more detail and is quoted at length below.

Here’s some additional background, before you dive into the announcement below. For an agency like Social Security, taking careful steps into the Information Age isn’t just wise: it’s mandatory. The agency has enormous amounts of confidential data about American citizens. Rushing online holds considerable risks but carefully engaging there will be inevitable if Social Security is to embrace Gov 2.0.

In 2011, the Social Security Administration ranks as the largest government program by dollars paid in the United States federal government. It surpasses even discretionary defense and Medicare/Medicaid spending in the federal budget. As the 21st century dawns, new technology and a mandate for open government from the Obama administration provide an opportunity for the Social Security Administration to “reboot its relationship with the American people,” as its CIO, Frank Baitman, put it last last year.

Whether Social Security can better deliver on its mission through adopting social media, more data, better e-services and mobile technologies is an open question. Authentication and credentialing of citizens online is an important part of that progress. Online identity is a matter of plumbing, so to speak, but getting it right is no less important than real plumbing in a house.

Leaks are potentially catastrophic.

That’s why the United States national strategy for online identity is both complex and worth watching. Citizens and government alike need this to work if e-government services are to match their offline components. Getting this wrong would be disastrous, given the rise of identity theft across the nation.

Given how many more of those citizens will be retiring in the years ahead, providing e-services may not be a “nice-to-have” option. According to Social Security’s estimates, by 2036, there will be almost twice as many older Americans as today, from 41.9 million to 78.1 million. They’ll want to access their information online. Today, we learned a bit more about how the agency is thinking about getting there.

1. Social Security’s Public Credentialing and Authentication
Process–20 CFR 401.45–0960-NEW. Social Security is introducing a
stronger citizen authentication process that will enable a new user to
experience and access more electronic services.

Background:

Authentication is the foundation for secure, online transactions.
Identity authentication is the process of determining with confidence
that people are who they claim to be during a remote, automated
session. It comprises three distinct factors: something you know,
something you have, and something you are. Single-factor authentication uses one of
these factors, and multi-factor authentication uses two or more of
these factors.

SSA’s New Authentication Process:

Social Security’s new process features credential issuance, account
management, and single- and multi-factor authentication. With this
process, we are working toward offering consistent authentication
across Social Security’s secured online services, and eventually to
Social Security’s automated telephone services. We will allow our users
to maintain one User ID, consisting of a self-selected Username and
Password, to access multiple Social Security electronic services. This
new process: 1) enables the authentication of users of Social
Security’s sensitive electronic services, and 2) streamlines access to
those services.

Social Security is developing a new authentication strategy that
will:

• Issue a single User Identification (ID) for personal,
  business, and governmental transactions; 
• Offer a variety of authentication options to meet the
  changing needs of the public; 
• Partner with an external data provider to help us verify
  the identity of our online customers; 
• Comply with relevant standards;
• Offer access to some of Social Security’s more sensitive
  workloads online, while providing a high level of confidence in the
  identity of the person requesting access to these services; 
• Offer an in-person process for those who are uncomfortable
  with or unable to use the Internet registration process; and 
• Balance security with ease of use. New Authentication Process Features:

  SSA’s new process will include the following key components: (1)
  Registration and identity verification, (2) enhancement of the User ID,
  and (3) authentication. The registration process is a one-time activity
  for the respondents. The respondent provides some personal information,
  and we use this to verify respondent identity. Respondents then select
  their User ID (Username & Password). Respondents will log in with this
  User ID each time they access SSA’s online services. SSA will also
  allow respondents to increase the security of their credential by
  adding a second authentication factor.

  Information SSA Will Request As Part of the Process:

  SSA will ask for respondents’ personal information, which may
  include:

  • Name
  • Social Security Number (SSN)
  • Date of Birth
  • Address–mailing and residential
  • Telephone number
  • Email address
  • Financial information
  • Cell phone number
  • Responses to an identity quiz (multiple choice format
    questions keyed to specific data identity thieves will not be able to
    answer) 
  • Password reset questions

  This collection of information, or a subset of it, is required for
  respondents who want to conduct business with Social Security via the
  Internet or our automated 800 number. We will collect this information
  via the Internet on SSA’s public-facing website. We also offer an in-
  person identification verification process for individuals who cannot
  or are not willing to register online. We do not ask for financial
  information with the in-person process. In addition, if individuals opt
  for the enhanced or upgraded account, they will also receive a text
  message on their cell phones (this serves as the second factor for
  authentication) each time they log into SSA’s online services.

  Advantages of the New Authentication Strategy:

  This new authentication strategy will provide a user-friendly way
  for the public to conduct extended business with Social Security online
  instead of visiting the local servicing office or requesting
  information over the phone. Individuals will have real-time access to
  their sensitive Social Security information in a safe and secured web
  environment.