Tuesday, November 15, 2011

Implementation

In addition to stupid questions there can also, as my previous post shows, be failures in implementation rather than the questions themselves. Having a single security question being the only thing protecting your account from password reset is relatively high-risk. Using it too frequently makes it no better than a password that's annoying to type in and easy to guess.

In addition to the list of attributes of a good security question I am interested in compiling a list of best practices regarding the implementation of security questions. I'll be putting ideas for this out in some of the next few posts, but my first, and perhaps most important, suggestion is: Don't make security questions the only thing standing between the attacker and full account compromise.  Other bits of biographical info like date of birth should be security questions for the purpose of this rule.

My suggestion would be to require the security question and either access to an email account (send a confirmation email with a password reset link), or some kind of physical token, e.g. a cell phone that can receive text messages. One of those things might change (new phone number, close an old email account) but both at once is much less likely.  In this case a security question actually adds security (as compared to using a confirmation email/text only), because it prevents somebody who has compromised one of your email accounts (or your phone) from also compromising this account.  That's assuming, of course, that the question is private and unpredictable and that the answer can't be found by searching through your email.

The fundamental requirement of password reset, and therefore the purpose of most security questions, is to authenticate a user in the absence of their normal authentication method (their password).  Security questions do this by essentially asking the user for a second password, one that's easier to remember but also easier to guess or research.  The confirmation email/text uses a different method: The alternate email or text message utilizes a preexisting private channel of communications with the user.  This is more secure than the security questions but means that even if you were using the best practice of having a different password for each account (which almost nobody does) an account compromise can still spread.  Adding a security question to that process will keep your account safer, rather than relying on a security question alone, which opens up your account to anybody who can figure out your mothers maiden name.