Segurança Social Direta Locks Two-Factor Authentication Into Mandatory Operation on Tuesday 12 May 2026 — NISS-and-Password Logins Now Require an SMS or Email Code, and the Username Migrates From NISS to the Registered Email

The Portuguese Social Security portal — Segurança Social Direta, the single online front-door for almost every benefit, contribution and worker-employer transaction that runs through the Instituto da Segurança Social — switches its authentication regime on Tuesday 12 May 2026. From today, every login that uses the legacy combination of Número de Identificação da Segurança Social (NISS) and password must clear a second authentication step: a temporary code delivered by SMS to the user's registered mobile or by email to the user's registered address. The change was first announced on 29 April 2026 and the Instituto gave users until 11 May to validate their contact details under the new regime; users who arrive at the login screen without an active SMS or email channel will be routed into a re-validation flow before they can proceed.

What changes inside the login flow

The Instituto da Segurança Social has framed the rollout as both a security and a usability upgrade. The new flow runs in three steps: enter NISS or email, enter password, enter the time-limited code that arrives on SMS or email. Once the user has activated the second factor, the username field accepts the registered email address as a substitute for NISS — which is the first time the Portuguese social-security stack has accepted anything other than the twelve-digit fiscal-and-social identifier at the front door. Users who already use the Chave Móvel Digital or the Cartão de Cidadão route into the portal are not affected by the change; both of those flows already operate against the AMA federated-identity spine and meet the eIDAS substantial-assurance requirement on their own.

Why the change matters now

The 12 May rollout closes a long-standing gap in the Portuguese e-government stack. Segurança Social Direta was the last of the major public-administration portals — Portal das Finanças, ePortugal, Portal do SNS24 — to operate without enforced multi-factor authentication on its password-based login. The Instituto's release on the change cites the increase in account-takeover incidents on the portal during 2025 as the proximate driver. Account-takeover on a Social Security profile gives an attacker access to a range of high-value transactions, including the redirection of payments under the abono de família, the prestações de desemprego and other social benefits, as well as the ability to manipulate employer-worker registries that drive the calculation of contribution obligations.

The fraud-awareness line

The Instituto issued an unusually direct fraud-awareness notice alongside the 12 May rollout, stating that 'Segurança Social does not request banking data, passwords or access codes through links sent by SMS or email' and that any update must be made exclusively inside the Portal da Segurança Social Direta. The framing matches the wording the Banco de Portugal and the major Portuguese banks have been using since 2024 to push back against the rising SMS-and-email phishing tape, which Portugal's national cybersecurity centre CNCS has classified as the leading single attack vector against the residential population. The Instituto's parallel push has been to require contact-detail validation in advance — users who arrive on the portal after 11 May without a verified mobile or email address are routed into a one-time validation flow that itself depends on a Chave Móvel Digital or Cartão de Cidadão step.

Operational impact for employers and TOCs

The change affects employer accounts and Técnico Oficial de Contas (TOC) profiles as well as individual citizen accounts. Employers using the portal to manage worker registries, pay the Taxa Social Única, or run the monthly Declaração Mensal de Remunerações must clear the second-factor step on every session. Multi-user employer accounts continue to operate under the existing delegation framework, but each delegated user must independently activate the second factor against their own mobile or email channel. The Instituto has flagged that batch-submission flows via the WebService channel are not affected, since those run against API keys rather than user passwords.

Sources: Instituto da Segurança Social communiqué, 29 April 2026; ECO; RTP; Jornal de Negócios; Notícias ao Minuto.