Dealing with regulated security

Topic

New Reply

ON SECURITY By Susan Bradley Being in charge of the technology and security at my office means providing the best security that does not interfere wit
[See the full post at: Dealing with regulated security]

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

TechTango, Norio, SueW, fisher75, DLivesInTexas

Reply | Quote

Replies

Thanks for a useful article.

I am retired and, while fairly IT aware,  I am far from an IT professional, so even the consumer options are fairly complex. I do think the industry needs to develop some consistent and reasonably easy to use methodologies for 2FA for the ordinary consumer – probably starting with email authorisation.

I do use 2FA for all my financial accounts, generally using the provider’s proprietary app, but only for a minority of general logins, and not for my PCs at home.

Moderator’s Note: Caught in spam filter. Sorry.

Chris
Win 10 Pro x64 Group A

Reply | Quote

DUO for Workstation protection. Sounds like a good idea. Years ago, I had that similar idea and stumbled across Userlock. Looked fine and dandy. Except for one thing. It only works for the workstation. Not the domain. So if you bring your own pc without Userlock installed, you can gain access to the domain without being bothered by Userlock. Surely this must be a design flaw, so I asked the makers. Their answer: this is indeed the way it works – it protects the workstation, not the domain. Uhhhhh, ok??? Then this product is useless to me. Lets have a look at the competition. Duo! Now owned by Cisco. Surely they will have a better solution. Long story short – it’s the same as Userlock. It protects the workstation – not the domain.

Don’t get me wrong – protecting the workstation is a good thing. But not enough. i want to protect the whole domain. Haven’t found any product (yet) doing that….

Reply | Quote

So if someone wants to join the domain-they would still need a domain username and password to login. Do you mean you don’t want them joining your internet?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain
You can use that setting to set if workstations can be added to the domy

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

So if someone wants to join the domain-they would still need a domain username and password to login.

Yes indeed. That’s also a thing. With 2FA, people might want to use a less secure password. They have to enter a PIN or token or whatever. So, meh, don’t need no convoluted password.

Anyway, if a perpetrator gets hold of someones login name and password, and has access to your domain, he can pretty easy logon to the domain, despite something like Duo. And if you happen to have all your data stored local, like we do, then it’s at the disposal of that perpetrator. If you store your data in the cloud, it’s probably going to be a lot more difficult. But for a local domain, things like Duo or Userlock don’t add another layer of security to the domain.

Reply | Quote

I’m in charge of security for my organization too 🙂

I happily embrace security practices that lead to true security improvements. Those that bring a new “standard” for the sole purpose of adding backdoors are not adopted. It’s incredible how much our technology progression has backslid in recent years.

Reply | Quote

As a result, the IRS decided to move to Login.gov, a process that is underway.

https://www.nextgov.com/digital-government/2023/10/irs-wont-add-logingov-without-changes/391033/
Also:
https://www.nextgov.com/digital-government/2023/12/irs-direct-file-participants-will-have-use-idme-identity-verification/392921/
And:
https://www.nextgov.com/digital-government/2024/04/gsa-pilot-face-matching-technology-summer-login/395656/

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

It depends on what you are doing with the IRS.  Making payroll tax payments supports three different authentication platforms.

IRS.gov for now is still ID.me

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

So that means those of us who don’t have the above will be making a trip to the local SS office instead.

Moderator’s Note: This post was retrieved from the spam filter. Sorry.

Reply | Quote

Another option that’s available when setting up a Login.gov account for logging into the SSA website is to download a set of 10 backup (aka security) codes. This option is not encouraged during account set-up with the claim that’s it’s not secure. However whether or not it’s secure depends on who will be using the codes and how they secure them; for some people the codes would not be recommended but for the many who will keep them safe, codes may work well as an option. If you keep the codes secure you will be able to login when your cell phone service fails or your authenticator app fails. It will also allow another person or entity of your choosing to more conveniently log into your account should that be required.

You can still set-up two factor authentication with a cell phone or app and also choose to download a set of codes. When logging in the default is to use the 2 factor method, but there is an option to ‘use another way’ which will then ask for a security code. Each code can be used only once and when all 10 have been used you need to download another set of codes.

2 users thanked author for this post.

SueW, WCHS

Reply | Quote

Hey Y’all,

I have the 10 “emergency” codes saved as a note in my RoboForm entry for Login.gov.
I highly recommend this practice for any site that provides these “emergency” codes.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

3 users thanked author for this post.

mledman, SueW, windbg

Reply | Quote

In July 2024, SSA began its process of converting all previous accounts by mailing or emailing existing users instructions on how to transition to Login.gov.

From SB’s piece “Dealing with regulated security” in the 2024-08-26 issue of the Newsletter

Hi Susan,

I have an online SSA account and an online IRS account, both of which I log into using Id.me. I have not received any mail or email from SSA about transitioning to login.gov. I also checked my SSA account’s Message Center and there’s no record of any notice about this. So, is it too early to get a notice about this from the SSA, but I will get one down the road? Should I try now to get login.gov to work for me? Is it expected that eventually signing into an SSA online account with Id.me will no longer work?

I have an online IRS account, too. (I am a consumer, not a business). The online IRS account allows logging in ONLY with ID.me (and no option to login with login.gov), as you noted in #2699399. Will the online IRS account eventually be transitioning to login.gov? And is it expected that eventually signing into this online IRS account with Id.me will no longer work? Like my online SSA account, I don’t find any record of an IRS or an IRS letter about this, either.

Reply | Quote

@WCHS –

With regards to your online SSA.gov account and SSA’s transition to login.gov usage, please read the entire page (including the FAQ section) that’s at the following link from the SSA website. It will most likely answer ALL of the questions you posed above about the transition. Spoiler Alert: You can continue to use ID.me for now with no issues (they even say so in their responses on that page and in the material leading up to the FAQ section), unless the SSA changes their mind and follows the IRS’ lead of ditching the use of ID.me.

https://blog.ssa.gov/how-to-transition-your-social-security-account-to-login-gov/

I hope this helps!

2 users thanked author for this post.

WCHS, DrBonzo

Reply | Quote

Bob99 wrote:

You can continue to use ID.me for now with no issues (they even say so in their responses on that page and in the material leading up to the FAQ section), unless the SSA changes their mind and follows the IRS’ lead of ditching the use of ID.me.

The underlined portion of the quote bears some comment here. As far as I know, the IRS has not ditched ID.me. In fact, the only option for logging in to an individual IRS account (irs.gov > sign in to your account > Individual tile > sign in to your account) is via ID.me. The irs.gov website does not offer Login.gov for an individual account.

The same goes for creating an IRS account.

As you see here, only one method is offered.

Reply | Quote

People I know who used to login to SSA the ‘old fashioned way’ (username, password, and a 2nd factor authentication via email or text) saw messages/ alerts/notifications at some point during that login process that they needed to transition to ID.me or login.gov. Those same people also received email s from SSA informing them they needed to change the way they log in; they did not get messages via the messaging system available to logged in users. So, I would try logging in to SSA the way you normally do and see if you get any indication that you need to change to login.gov. If you don’t get any indication of needing to do that, I would assume you’re good.

What I’ve said seems to be verified here:

https://www.ssa.gov/myaccount/account-transition-faqs.html#:~:text=No.,to%20access%20Social%20Security%20services.

I don’t know the answers to your IRS questions.

1 user thanked author for this post.

WCHS

Reply | Quote

I had a social security account that I had deleted.  Then I re-instated it using the same email address.  Problem is I now have the account but it opens to the “Your Acount Page” and I cannot get into my Social Security Info page.

Reply | Quote

In late 2022, ID.me sparked some controversy because it uses face detection and requires the upload of a photo. Because the Internal Revenue Service (IRS) had contracted with ID.me, security and privacy concerns arose about a private company having such personally identifiable information.

I had had a SSA account for a very log time but about two or three years before the pandemic, I could no longer log into it. Despite a number of in-person visits to the SSA office, I could not get this fixed. And later, despite a number of emails to Id.me, I could not get its automated process to work because I did not have a mobile phone to take a selfie. Then during the pandemic when in-person visits to SSA offices were not possible, I was able to talk to a SSA agent on the phone who told me how to navigate SSA screens to get this fixed. I don’t remember the details, but it involved setting up id.me to log in, which worked this time, despite my not having a mobile phone to take a selfie, because Id.me managed to verify my identity via a video interview on my PC. I remember that interview distinctly. As a result,I don’t think Id.me has any facial recognition data on file for me, because an Id.me agent was able to look at me via the video to verify my identity.

Reply | Quote

I’ve been using “login.gov” since day one when I registered with SSA.gov. The part I don’t like, is when I login in and check the box “remember this device”. It never does.

Moderator’s Note: Caught in spam filter. Sorry.

Reply | Quote

RetiredGeek wrote:

I have the 10 “emergency” codes

So do I.

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

Does anyone who is reading this thread have both an ID.me and a Login.gov account for logging in to their SSA account?

The SSA site FAQ questions say that a person can log in either way, but I’d like to know if there is someone who can personally attest to this — i.e, a person who logs into their ssa account sometimes using ID.me AND at other times using Login.gov.

I can log into my SSA account at ssa.gov, click on the ‘Sign in’ button in the upper right-hand corner, and get a page that offers both the ID.me and the Login.gov button for accessing it. Right now I have only an ID.me account for logging into my SSA account (and it works).

It says at the top not to create a new one, if you already have one. But, this is ambiguous. It could mean ‘do not create another ID.me account, if you already have an ID.me account’ and ‘do not create another Login.gov account, if you already have a Login.gov account’. Or it could mean ‘do not create a Login.gov account, if you already have an ID.me account’.

I’d like to be prepared, in case SSA decides to offer ONLY Login.gov. {Maybe, SAA is paying ID.me for this service, DOGE learns of this expense, and decides to stop offering ID.me and to only offer Login.gov.}

The same goes for logging into an individual IRS account. Right now the IRS.gov website offers only ID.me for an individual IRS account. But, if the IRS is paying ID.me for this service, DOGE might require it to offer only Login.gov, in which case a Login.gov account would put me in good stead.

Reply | Quote

You can login with either if you have both.

--Joe

Reply | Quote

joep517 wrote:

You can login with either if you have both.

Yes, I’ve read this;the ‘you’ means ‘anyone/everyone’ But, for you personally, are YOU able to do it, i.e., is that your first-hand exerience?

Reply | Quote