Blog :: by Wade Woolwine

Security Questions don’t work!

We’ve all seen them, we’ve all used them…”What is your father’s middle name?”, “What is the name of your favorite pet?”, “Where did you go to high school?”. These questions are typically used in web applications when a user needs to reset their password or change their account email address. The intent is to provide a “secure” means through which a user’s identity can be asserted without email confirmation. The problem is that the answers to most security questions can easily be obtained with a little research.

One of the primary destinations on the internet in 2008 was for social networking applications…also known as places where you put all your information to share it with your friends. Whether it’s a Facebook profile, a Twitter post history, a blog, MySpace page, or Google most people have published all the information required for the target account to me stolen. Need more proof?

• Sarah Palin Yahoo! account hacked
• Paris Hilton’s Sidekick hacked
• Fred Durst’s T-Mobile account hacked
• Google search results for: “security question” hacked

One of my motivations behind this post comes from when I checked my access logs and found that someone searching for “Wade Woolwine” birthday on Google and had ended up on my blog. Luckily, I don’t use my birthday for answers to security questions…but I now know that one of my accounts is being targeted.

It’s not likely that people will stop choosing bad security questions or publishing too much information about them on the internet. So how do we make this account management safeguard safer?

• Better Security Questions
  Enter a 6-10 digit code.
  Enter a backup password.
  Enter the last 4 digits of your drivers license.
• Photo security questions
  Allow the user to provide the security question by selecting an image or providing their own.
• Confirmation code sent over SMS
  For sites who use SMS for other purposes, a verification code can be sent to the registered mobile number.
• Delay email address change requests
  Impose a 24 hour delay for email address change requests. During that time, issue an email to both current and future email address explaining the email change request. The email to the current email address should include instructions on how to block the request should it be unauthorized.
• Identity certificates
  If the provider is able to issue client certificates for their visitors, these certificates can be used as a form of 2nd factor authentication.
• 2nd factor authentication service
  For banks and other financial institutions, leveraging a service such as Verisign VIP should be implemented. There would be an additional cost for the tokens to cover, but the added security becomes a marketing tool for the service.

I’m not sure if any of these options are truly viable as robust solutions for enhancements or replacements for security questions, but they would make targeting users’ accounts through social engineering more difficult.

Tags: Authentication, Security Question