Social Security Direct: two-factor authentication becomes mandatory on 12 May

Social Security Direct will make two-factor authentication mandatory from 12 May 2026 for users signing in with NISS and password. In practice, entering the usual credentials may no longer be enough: the user may also need to confirm access with an additional code sent to a validated contact, such as a mobile phone or email address.

For citizens, companies and professionals who collect official documents, this change matters. Social Security recommended activating the feature and validating contact details by 11 May to reduce access issues when the measure comes into force.

What changes in the login

Access with a Social Security user account now accepts NISS, email or subaccount, together with the password. Then, when applicable, the portal may request a second verification using a temporary code.

This change does not remove the Digital Mobile Key or other official authentication methods. Its purpose is to strengthen account protection when access is made with traditional credentials.

Why this matters when requesting documents

Documents such as the contribution status certificate and the contribution career statement depend on access to Social Security Direct. If the client has not validated their email or phone number, or cannot receive the code during the collection, the process may stop.

For credit intermediaries, real estate agencies, accountants and administrative teams, this means document collection may require one additional step: making sure the holder has access to the contact where the verification code is received.

What to ask the client before collection

• Confirm that they can access Social Security Direct
• Check that their email and mobile phone are up to date
• Keep their phone or email inbox available during the collection
• Never share passwords or codes through unsafe channels
• Be wary of SMS or email messages with links asking for access details

Impact on professional processes

When a document depends on reinforced authentication, collection time may increase. This does not mean the document is wrong or unavailable; it may simply mean the portal is waiting for confirmation from the holder.

It is therefore good practice to warn the client before starting the request and explain that they may receive a Social Security code during the process. A clear message reduces drop-off, avoids confusion and helps the client complete the collection without last-minute calls.

How PedirDocumentos.pt follows this change

PedirDocumentos.pt monitors changes in official portals so document collection remains organized and transparent. Whenever reinforced authentication blocks or delays a document, the goal is to guide the client with clear messages and keep the professional informed about the collection status.

For teams that depend on these documents, the recommendation is simple: warn clients about the new authentication, ask them to validate their contact details and allow a few extra minutes when Social Security documents are involved.