Two-Factor Authentication on Segurança Social Direta Goes Live for All Users After a Four-Day Delay — SMS or Email Code on Top of NISS and Password, Chave Móvel Digital Logins Exempt

Two-factor authentication on the Segurança Social Direta (SSD) portal became mandatory for all individual and corporate users on Saturday 16 May 2026, after a four-day technical-delay from the original 12 May rollout. From now on every login that does not use the Chave Móvel Digital requires a second factor in addition to the NISS-and-password combination — a temporary code sent by SMS or email.

The Ministry of Labour, Solidarity and Social Security pushed the migration window back from Tuesday after early adopters reported delivery failures on the SMS code path during the first 48 hours. By the end of the week, Social Security's communications team said the delivery infrastructure had been stabilised and the cutover proceeded on Saturday morning. Anyone who had not yet enabled the second factor was prompted to do so on next login and could not access the portal without completing the enrolment flow.

What Has Changed for the Average User

Until now the SSD portal accepted a straightforward login with two credentials: the eleven-digit Número de Identificação de Segurança Social (NISS) and a password. The new flow keeps both but adds a third step — a six-digit one-time code delivered to the user's registered mobile number or email address. Users who have not previously verified contact details on the portal will be walked through a one-time verification on the first login after activation.

The Ministry of Labour confirmed that the requirement 'does not apply to those accessing the Portal through the Chave Móvel Digital,' on the basis that CMD already includes a digital second-factor through the AMA-managed identity stack. Users authenticating with their Cartão de Cidadão and reader equally bypass the new SMS or email step.

A Login-by-Email Side Door

Saturday's rollout also activated a side feature that had been in the pipeline for several months: users can now log in using their registered email address instead of memorising the eleven-digit NISS, which Social Security's product team called 'a more practical, faster and more memorable' entry point. The NISS itself remains the primary administrative identifier on the back end and continues to be required for any document the user generates from inside the portal.

Why It Matters Now

SSD is the central digital channel for filing IRS-adjacent contributions for the self-employed under the green-receipts recibos verdes regime, drawing parental and unemployment benefits, requesting the Atestado de Multiusos attestation, and validating residency claims for benefit purposes. The portal handles roughly 2.2 million unique monthly logins across individual and corporate users, the Ministry of Labour said in its February 2026 digital activity report.

Cybersecurity researchers had flagged credential-stuffing risk on SSD since at least early 2024, after a wave of credential dumps exposed reused NISS-password combinations on third-party sites. The two-factor regime aligns SSD with the Portal das Finanças of the Autoridade Tributária, which moved to mandatory CMD- or two-factor login in mid-2024.

What to Do If You Are Locked Out

Users who cannot complete the second-factor enrolment because their registered phone number or email is out of date must update contact details at a Loja de Cidadão or local Segurança Social desk, then return online to finish the activation. Social Security's call centre and the Segurança Social Direta secure inbox are not accepting password resets that bypass the new factor.