This is a screenshot of a real security question from one of the large commercial banks. Besides the obvious, what bothers me is, why is this question considered secure? My dad’s parents had nine children – you know, in the hopes that some would survive? Unfortunately for me, most did! That means there are a lot of people and people’s people who know the answer to this question. Even if that’s not the case, how many reasonable guesses does it take?
Let’s get out of fact based security questions. It doesn’t seem that hard to get out of fact based anything these days – but maybe for security questions it actually makes sense.
Recently, a LinkedIn colleague opined that the question, “Who was the best man at your wedding?” might not have a singular answer for a lot of people. My gripe with this has always been that “the best man” is not a universal custom. This is Anglophonic at best – and even among these cultures they are called different things. So many come up with just some name that they can’t remember later.
Then, on this mother’s day, speaking of non-universal customs, let’s not forget the quintessential security question of all: “What’s your mother’s maiden name?” It must have been a special mind that came up with this. That aside, this is another common-law, English-cultures only concept. There are all kinds of name joining that happens due to marriage, or not at all. Also, for many of us, the names – especially ancestral ones – are not easily pronounced on the Anglo tongue or spelt the same way twice in the English language. So, again where this is established, many people know the answer and where it is not, the answer is a made up approximation.
So, security questions are not an additional layer of security. They are simply keys that too many people have – or temporary garbage that people forget.
So – to my fellow technologists – use another system like we do with two factor authentication or completely get out of the Forgot Password business by allowing your users to login through established authenticators like Facebook, Google, LinkedIn and Twitter.
and before I go, Happy Mother’s day, Ms. Bharathi Thennanthoppe Venketraman (mom).