Six years ago I wrote a blog “My Favorite Color is Three.” It’s kind of sad - the situation with online applications using security questions for resetting your passwords, or Self Service Password Reset (SSPR) is still a horrific mess – really not that much better than it was six years ago. It’s just so darned attractive from an efficiency standpoint – no need to pay the humans at a help desk to reset all those passwords users forget incessantly.
The recent debacle with celebrity nude pictures being exposed is just one more piece of evidence – guessing security question answers is arguably even easier than brute forcing passwords. Apple, and many other application providers, require you to answer security questions whenever there is an attempt to change or reset a password.
On security questions, think about it – there are only so many colors possible for “Favorite Color” - even counting teal and puce. It’s just so easy to brute force that one with about 64 colors. Then, “Favorite Sports Team” is darned easy too – just look at the person on LinkedIn and find out where they live, where they have lived, and where they went to school. Wham – pretty guessable. If that fails, find out where they grew up on Facebook – it’s pretty much a sure-fired way to figure out their favorite sports team. “Favorite Movie” or “Favorite Book” – yep, you can probably spot that on social media. Place of birth… just too easy. “Mother’s Maiden Name” – dead easy to figure out.
Security questions are just a terrible idea for identity validation to reset passwords. Unlike passwords, they may not change much - again a terrible thing in terms of authentication. Then again, they might change often, with questions like “What’s your favorite Movie?”, which might change and be hard to remember for that reason, and favorites have not been considered best practices for a while - "Where was your first date?" and "What was your first car?" are better. A prevailing problem with security questions is case-sensitivity and punctuation, like periods and commas, making them tricky to remember properly.
Instead of security questions, Apple is now advocating using Two-Step Verification. Google has had it for several years, and there are lots of other sites offering it. It not only resolves the nasty security question business with resetting passwords, but it also prevents people from accessing or using your account, or buying things on iTunes and the App Store, even if they happen to know, guess or brute force your password.
The other cool thing with two-step verification is that you likely no longer need to create or remember any security questions. This is nice, because once someone has figured out the answers to your security questions, they can go to a bunch of other apps where you might have an account, guess the userid and plug in those answers.
Of course, there are ways to ensure stronger authentication, like biometrics. This can include reading your fingerprint, veins in your finger, facial recognition and a wide variety of other things. Second factor authentication entails two of these things: something you know (like a password) and then something you have (like a token) or something you are (biometrics.) There are some interesting variants emerging, such as Toopher, where user credentials only work where a person’s mobile phone is, or “location-based” authentication.
Now, not all online applications support two-step verification, or even authentication beyond password and security questions. In these cases, you might want to lie when answering security questions. Having a favorite color of “five,” a first car of “Charlie”, a town where you met your spouse of “9PM”. The problem is that you have to remember your lies – not easy unless you lie consistently.