7 ways to strengthen security questions
(Last updated on June 30, 2020)
Security questions have been around almost as long as the Internet and passwords. They are inherently weak and recently both Gartner and the National Institute for Standards and Technology (NIST) have drawn a hard line in the sand concerning them.
Gartner declared that self-service password reset solutions need to support additional forms of authentication beyond security questions in their Future Proofing Your Password Management Solutions report. While NIST declared that security questions should not ask users for specific information such as “What is the name of your pet” in the Digital Authentication Guideline publication SP-800-63B (section 188.8.131.52).
Yet they are a widely adopted form of authentication and most likely will persist although we all know better. So, if you are currently using security questions to verify user’s identities before allowing an account unlock or password reset, the following recommendations can guide you to implementing the most secure and usable set.
- Do not let users create their own questions. End users do not make the best decisions and will most pick questions with easily guessable or researchable answers.
- Do not use questions that are easily socially engineered. Recall Sarah Palin and her Yahoo email hack due to social engineering of her security questions. Stay away from easily researched questions such as: what’s your first pet’s name, what’s your nickname or what’s your favorite…anything.
- Do not enable case sensitive answers. This is so very annoying for end-users. It doesn’t bring additional security value so why do it.
- Do enforce answer character length. If you don’t, users will put in easy-to-remember answers that do not mean anything. This will ensure that answers are not things 1111.
- Use questions that can have many different possible answers. The more possible answers – the harder to crack. Questions such as what is your favorite color, only has a few possible answer choices requiring minimal effort to figure out.
- Use questions where answers won’t change over time. This allows for consistency and users are not as likely to forget. Getting people to answer their security questions correctly helps deflect the all too pesky “can you reset my password” call to the helpdesk.
- Use questions that use information that you have about the user. This is in the same spirit as the recommendation above but can lend itself to auto-enroll users. For example if you store employee or student ID in Active Directory using a question like “What is your employee ID number?” can take advantage of this bit of information to auto-enroll your users into your password reset solution. But of course if the ID number is printed on the ID badge or is easily searchable, do not use it.
Choosing a good set of security questions is not easy. There are not many options that satisfy these requirements. The best course of action is to re-evaluate your authentication strategy with a password reset solution that works with additional authentication methods. Our password reset solution not only supports multi-factor authentication, but also integrates with our unique service desk tool that can be used by agents to securely verify users, without security questions.
Contact us to learn more about how you can eliminate security questions from self-service password resets, or the service desk.