Jack Santos

A member of the Gartner Blog Network

Jack Santos
Research VP
5 years at Gartner
40 years IT industry

Jack Santos is a Research Vice President with Gartner. He is part of the Gartner for Technical Professionals product and focuses on professional effectiveness for IT practitioners. Mr. Santos covers organizational development, leadership and management practices, governance, and innovation and collaboration approaches. Read Full Bio

Coverage Areas:

The Travesty of Security Questions

by Jack Santos  |  May 20, 2013  |  Comments Off

It used to be a good idea.  Ask something that was immediately obvious and only knowable by YOU or a very few people – and make it the last line of defense for a password reset or some other high-security function.  Mother’s maiden name.  City you were married in.  Make and model of your car.

Until, like everything, it gets carried to an extreme.  Like for instance, the Apple ID reset process.  Let’s look at these security question…

image image image

I suppose the standard response would be (if the answer is not readily available) MAKE SOMETHING UP and remember it!  But wasn’t it the purpose of these security questions NOT to have to remember ONE MORE THING.  Heck, if that were the case I wouldn’t have forgotten my password in the first place!

…and then there was the concept of REUSE.  Use a question that is personal information, but whose use is fairly standard across websites (mothers maiden name, for example).  But then that, of course, leaves one open to the possibility of a breach at one site is a breach of all of them.

This, we at Gartner, would classify as a wicked hard problem of identity and authorization.   And there is no answer yet (two factor authentication aside).  The Achilles heel of virtuality.

 

These first job questions – do you mean my news route, part time job after high school, full-time job after college? The first one that actually paid me? or paid me a salary?

That first album I purchased?  duh, maybe it was Jimi’s “Live at the Fillmore East”, which explains why I can’t remember a dang thing….

We’ll talk about wicked hard problems like that, and more, at this year’s Catalyst Conference in San Diego.

Comments Off

Category: IAM security     Tags: , ,