7 ways to strengthen security questions
Security questions have been around almost as long as the Internet and passwords. They are inherently weak and recently both Gartner and the National Institute for Standards and Technology (NIST) have drawn a hard line in the sand concerning them.
Gartner declared that self-service password reset solutions need to support additional forms of authentication beyond security questions in their Future Proofing Your Password Management Solutions report. While NIST declared that security questions should not ask users for specific information such as “What is the name of your pet” in the Digital Authentication Guideline publication SP-800-63B (section 18.104.22.168).
Yet they are a widely adopted form of authentication and most likely will persist although we all know better. So, if you are currently using security questions to verify user’s identities before allowing an account unlock or password reset, the following recommendations can guide you to implementing the most secure and usable set.
- Do not let users create their own questions. End users do not make the best decisions and will most pick questions with easily guessable or researchable answers.
- Do not use questions that are easily socially engineered. Recall Sarah Palin and her Yahoo email hack due to social engineering of her security questions. Stay away from easily researched questions such as: what’s your first pet’s name, what’s your nickname or what’s your favorite…anything.
- Do not enable case sensitive answers. This is so very annoying for end-users. It doesn’t bring additional security value so why do it.
- Do enforce answer character length. If you don’t, users will put in easy-to-remember answers that do not mean anything. This will ensure that answers are not things 1111.
- Use questions that can have many different possible answers. The more possible answers – the harder to crack. Questions such as what is your favorite color, only has a few possible answer choices requiring minimal effort to figure out.
- Use questions where answers won’t change over time. This allows for consistency and users are not as likely to forget. Getting people to answer their security questions correctly helps deflect the all too pesky “can you reset my password” call to the helpdesk.
- Use questions that use information that you have about the user. This is in the same spirit as the recommendation above but can lend itself to auto-enroll users. For example if you store employee or student ID in Active Directory using a question like “What is your employee ID number?” can take advantage of this bit of information to auto-enroll your users into your password reset solution. But of course if the ID number is printed on the ID badge or is easily searchable, do not use it.
Choosing a good set of security questions is not easy. There are not many options that satisfy these requirements. The best course of action is to re-evaluate your authentication strategy with a password reset solution that works with additional authentication methods. Our password reset solution not only supports multi-factor authentication, but also integrates with our unique service desk tool that can be used by agents to securely verify users, without security questions.
Contact us to learn more about how you can eliminate security questions from self-service password resets, or the service desk.
(Last updated on June 30, 2020)
Security questions – a flawed model
It is ingrained in our mind that we should create secure passwords. Most times we attempt to create strong passwords that guard our information against hacker attacks but there’s a security hole we often overlook – security questions. For a long time, security questions have been a way to verify user identities when they forget…Read More
Who knows the answers to your security questions?
Security questions, also known as challenge questions or secret questions, are a way to help you recover access to accounts when you forget your passwords. Security questions are meant to protect your accounts, but they can actually provide hackers with a loophole to break into your accounts. Recently, Google’s search findings show that “easy security…Read More
Resetting password? Just put your finger on it
It’s no secret that people hate passwords. Organizations often require passwords to be at least eight characters long and include lowercase letters, uppercase letters, number and special characters. While these complexity requirements barely make passwords secure, they are enough to cause headaches to users because human brains are not designed to remember random passwords. With…Read More