Secret questions and two factor authentication

You’ve seen them. They’re cropping up all over the place now, and not just for online banking. I’m talking about those so-called “secret questions” that are supposed to authenticate you if you ever forget your password. They are (sort of) based on the principle of two factor authentication. Except they actually make the system less secure, not more.

The idea behind two factor authentication is just what it says: authenticating someone based on two factors rather than just one (a password). One key issue is that they be two different kinds of thing, e.g.

  • something you know (a password or PIN)
  • something you have (a credit card or RSA fob)
  • something you are (a fingerprint or retinal scan)

Part of the security lies in the fact that it is not easy to replicate something you have or are, unlike something you know. A password file can be duplicated and attacked offline. Ever-changing RSA keys cannot. Don’t get me started on how every online merchant is requiring the 3-digit credit card “security code” for online transactions these days, which will end up negating its whole purpose if they ever start storing it.

Anyway, secret questions. Stop and think about it for a minute. If you use a strong password, even the esoteric “secret question” answers are a lot less secure than your password. Do you really want someone to be able to call up your bank and say “Oh, hello, this is… Yeah, I forgot my password. My mother’s maiden name is…” ? Whether it be your mother’s maiden name, the name of your first pet, the town where you went to high school, or something else, it is certainly a lot easier for someone to find out (or guess) than a well-chosen password.

Whenever a website asks me for a “secret question” answer, I mash my hands on the keyboard at random until I have 10-12 characters of nonsense, and enter that. Neither I nor anyone else will reasonably be able to recover my answer. So if I ever forget my password(s), I may have a harder time authenticating myself to the person on the other end of the phone, but at least my account will be secure.

Recently, I was almost caught out by this – not that I would change my behaviour and give up security if I were – but I was surprised to actually be asked this secret question as part of the login procedure for one of my credit cards! Of course, I couldn’t answer it. But I was able to give them the 3-digit card security code as an alternative. This was as well as the password, not instead of, so my security was intact in that case.

Leave a Reply