We already know that the age of passwords is coming to an end. For almost a decade now companies have been working to replace or supplement these archaic forms of authorization with better technologies – two-factor and multi-factor authentication, and, of course, biometrics. However, passwords aren’t the only security feature online that needs to go. Security questions are becoming obsolete as well. It’s time to do away with the age-old question, “What’s your mother’s maiden name?”
We all know them, security questions that force us to recall obscure facts, such as the street we grew up on, the color of our first car, our first pet’s name. Or worse, easily searched personal information: Your mother’s maiden name, your father’s middle name, the year your grandfather was born. These questions might seem like a good safeguard against hackers acquiring or resetting your password at first glance, but when you break it down, they can actually make security worse.
Let’s take a look at the main threat that these (in)security questions pose – we forget the answers ourselves.
I, like many people, have numerous online accounts, and like a good, security-minded end users, have different passwords for each of them. The downside is that it makes it harder (nearly impossible) for me to remember all of them, and to which email address they are associated. So I frequently encounter the dreaded security question when I get locked out of one of these accounts, such as my bank account, or need to reset it.
But then, I hit another brick wall. I knew my mother’s maiden name wasn’t exactly a hard-to-guess question when I set my security question, so instead, I picked “What’s your favorite teacher’s name?”
Which teacher did I pick? My favorite grade-school teacher, or my favorite college professor? Did I put in his full name, or just his last name? After three or so attempts I get further locked out, and now I have to directly contact my bank to get access to my email. The security sure works, but so much for convenience.
Of course, that’s just one example. Security questions can also be exploited by hackers with a bit of social engineering. Even when calling customer support, security questions can be used can be posed as a form of two-factor authentication. Have you ever called your credit card company or bank and been asked to read off your address, or the last four digits of your Social Security number? Now, what would happen if you got a phone call reporting a security breach and were asked to confirm your identity the same way?
And what if that call came from a hacker, not your bank? As you provide more and more information, they steadily gain access to critical accounts in your name, and this goes far beyond banking. Health insurance, personal and professional email and more can all be compromised by just a few carefully asked questions.
Even if you set a different password for each and every online account, we often reuse our security questions as well, thinking them less important for security. However, this is just as big of a loophole as reusing the same password for multiple accounts.
Time to Kill Passwords AND Security Questions
We often talk about how 2017 is the year to kill passwords, but we need to include flawed security questions in that equation as well. Want to learn more? Veridium’s executive team will be at RSA® Conference 2017, Marriott Early Stage Expo Booth #ESE – 35 in San Francisco, from February 13 – 17, ready to show off our biometric multi-factor authentication solutions and answer any questions you might have.
To discover how you can eliminate passwords and security questions from your information security framework and secure your employees, customers, and data for mere pennies a day email us to set up a meeting at RSA® 2017.