Personal Knowledge Questions for Fallback Authentication
July 24, 2008 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf
Security questions aren’t always bad…though they often are. But, the bad news is, they are getting worse. A secret security question asks for a secret fact. A personal security question asks about something meaningful to the user, but that they are willing to share. Unfortunately, if users are willing to share this information in one context they may well be willing to share the same information in another context.
The researchers and volunteers went through the forgotten password mechanism at 20 banks and wrote down the steps in the authentication process, including a list of all accessible security questions.
It turns out most of the big banks and credit cards mostly don’t rely on personal security questions alone. Many ask for SSN + acct number + PIN. A few send e-mail messages. Security questions were much more common with brokerages and on-line banks.
Different sorts of security weaknesses:
- guessable
- automatically attackable
- human attackable
The security of personal security questions are based on assumptions of information-retrieval hardness. But information retrieval is improving rapidly. Many answers can often be found, or deduced from information available on, a subject’s publicly available social networking page(s). Many others can be found with a simple Google search, especially if the subject has a personal website.
Some suggestions to fix this would be to ask recognition-based questions rather than recall-based questions. It may perhaps be useful to embed media into the questions. Another approach would be to try different styles of questions; for example, the method detailed in Love and authentication asks the user to indicate Yes/No as to whether they like things in a list of topics where the authenticating subject has to match their initial answers.