Security questions – a flawed model

It is ingrained in our mind that we should create secure passwords. Most times we attempt to create strong passwords that guard our information against hacker attacks but there’s a security hole we often overlook – security questions. 

For a long time, security questions have been a way to verify user identities when they forget their passwords. When setting up password reset for various systems, users are presented with a list of suggested security questions such “what’s your first pet’s name?” or “Where did you go to high school?” Answers to these questions can be easily retrieved by users because they are so easy to remember. The bad news is – they are also easy for hackers to find because they are public knowledge.

In September 2014, news broke that hackers gained unauthorized access to the iCloud accounts of several celebrities and leaked numerous private photos to the public. The hackers were able to gain entry by guessing usernames, passwords and security questions – the answers to which can often be found online.

Not every attack will be successful just because hackers know the answers to your security questions. But if you continue to guard your account using only security questions, you are leaving your data security to chance. So what can be done to provide added security? Multi-factor authentication is the answer. It adds another layer of security by combining two or more of these factors – something you know (username and password), something you have (hardware), and something you are (biometrics). In the most common situations, users are required to enter their password and a code will be sent to their phones before they get access to their account.

To test the security level multi-factor authentication provides, Christopher Mims at The Wall Street Journal exposed his Twitter password to the public and challenged people to hack into his Twitter account. After endless attempts from strangers, his account withstood the assault because nobody was able to obtain the second piece of the puzzle – his cellphone.

Multi-factor authentication can significantly increase password security because each factor is independent and compromising one would not lead to the fall of others. Specops uReset supports multi-factor authentication. The new features will enable users to verify their identities with a variety of identity services, in addition to the more widely used security questions and mobile verification codes.