by Jack Santos | May 20, 2013 | Comments Off on The Travesty of Security Questions
It used to be a good idea. Ask something that was immediately obvious and only knowable by YOU or a very few people – and make it the last line of defense for a password reset or some other high-security function. Mother’s maiden name. City you were married in. Make and model of your car.
Until, like everything, it gets carried to an extreme. Like for instance, the Apple ID reset process. Let’s look at these security question…
I suppose the standard response would be (if the answer is not readily available) MAKE SOMETHING UP and remember it! But wasn’t it the purpose of these security questions NOT to have to remember ONE MORE THING. Heck, if that were the case I wouldn’t have forgotten my password in the first place!
…and then there was the concept of REUSE. Use a question that is personal information, but whose use is fairly standard across websites (mothers maiden name, for example). But then that, of course, leaves one open to the possibility of a breach at one site is a breach of all of them.
This, we at Gartner, would classify as a wicked hard problem of identity and authorization. And there is no answer yet (two factor authentication aside). The Achilles heel of virtuality.
These first job questions – do you mean my news route, part time job after high school, full-time job after college? The first one that actually paid me? or paid me a salary?
That first album I purchased? duh, maybe it was Jimi’s “Live at the Fillmore East”, which explains why I can’t remember a dang thing….
We’ll talk about wicked hard problems like that, and more, at this year’s Catalyst Conference in San Diego.
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
What Matters When Securing IoT?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.