best practice for security questions

19 Dec 2008 - 4:41am
3 years ago
11 replies
7841 reads
Sam Menter
2008

Hi there

Can anyone point me in the direction of sample security questions that could
be used to verify a user's identity if they don't have an email address and
have forgotten a password? EG Mother's maiden name, first school etc etc.

I think best practice would be to let a users set the question themselves,
but in this case we need to offer a set of questions for the user to choose
from.

Thanks for the tips,
Sam
www.pixelthread.co.uk

Comments

21 Dec 2008 - 2:04pm
James Page
2008

Sam,
We have just done a study for a bank on this issue.

The issue of security questions is hard. We have had the security team of a
bank reject the idea of letting users select their own security questions
because the users could make the question too simple.

But from user testing we have found a significant number
of participants reject virtually every question that we can think of.

Is there another way to verify somebody?

James

http://blog.feralabs.com

2008/12/19 Sam Menter <sam at pixelthread.co.uk>

> Hi there
>
> Can anyone point me in the direction of sample security questions that
> could
> be used to verify a user's identity if they don't have an email address and
> have forgotten a password? EG Mother's maiden name, first school etc etc.
>
> I think best practice would be to let a users set the question themselves,
> but in this case we need to offer a set of questions for the user to choose
> from.
>
> Thanks for the tips,
> Sam
> www.pixelthread.co.uk
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

22 Dec 2008 - 12:44am
DampeS8N
2008

We could always stop burdening our users with keeping our systems
secure for us. What is wrong with this combo:

*4 digit pin, same for ATM.
*First and Last name.

Isolate attacks intelligently. If the user attempts to log in more
than 5-10 times and fails, Allow the user 1 new attempt each hour up
to that number again. If they miss it for 3 hours in a row, or 3 full
shots through. Require them to call or come in to reactivate. Give
them the option to call or come in when they get locked out, because
they might have forgotten their PIN.

Give this message and act the same regardless of weather or not a
user with that F and L name exists.

Then stage the system. On normal log in, the user can do basic,
'safe' actions. Such as check balances and so on, perhaps transfer
money from one account to another they hold. Say from checking to
savings.

If they want to do something that could really ruin them, such as
transferring money into a joint account, or to some completely other
account. It would require another step.

This is where you ask for security questions to be answered, and it
is now acceptable to bother someone with it. Make the questions a mix
of things. And require most, but not all, to be correct to continue.

Here is a good list and how to store it:

*What is your mother's maiden name
*What is your phone number
*What is your address
*What is your father's first name
*What school did you go to
*What is your favorite color
*What is your favorite food
*What is your mother's first name
*Type something you'll remember, like a password

In this case, there are 9 questions. When the account is setup, these
should be answered, and alternatives could be given at the same time
for many, and it is not case sensitive.

If when entering, the user gets more than 5 of them correct, add the
ones that were wrong to the lists and let them in.

If they get all of the ones that were not likely to change correct,
but not 6 correct, ask them to try again because they didn't get
enough right to enter. Give them a number of trys like for entering
the site in the first place.

In the event that they moved recently, and their father changed his
first name, and otherwise they get 5 or less right and don't get all
the ones that should never change correctly. Lock those functions and
require them to call or come in to fix the problem.

Let them know that they don't need to remember all their answers to
get in, just most of them.

That should be safer than one security question, and yet, it should
be easier for a person to get past, since they don't have to
remember how they answered some arbitrary question. And it will get
better and better at letting them in as they answer the questions
with more and varied answers.

Can this system be hacked? Sure, but it will require the hacker to
know a lot about the person they are stealing from. And it WILL
happen, but it would happen in any other system.

it won't stop people from giving out their PIN or other info. So in
the end, keeping an eye out for odd behavior and calling the person
to make sure they REALLY mean to send their life savings to Nigeria,
is going to be a great deal more secure than anything programmatic.

If I had just dropped 35,000 on a new car by check, I'd be upset if
my bank DIDN'T call me.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=36577

22 Dec 2008 - 1:40pm
Cinnamon Melchor
2006

I try not to use "favorite" anything for security questions, since
what makes something a favorite changes over time -- and in a
keep-your-own-name kind of world, what is a 'maiden' name, anymore?

Do read Bruce Schneier's perspective on security questions, too
<http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html>.

$0.02,
Cinnamon

2008/12/22 William Brall <dampee at earthlink.net>:
...
> Here is a good list and how to store it:
>
> *What is your mother's maiden name
> *What is your phone number
> *What is your address
> *What is your father's first name
> *What school did you go to
> *What is your favorite color
> *What is your favorite food
> *What is your mother's first name
> *Type something you'll remember, like a password

22 Dec 2008 - 2:52pm
sylvania
2005

Secret questions invariably thwart me, maybe because they always ask for something that I can't remember, that changes, or that doesn't apply to me. Which phone number - my cell or land line? Address - did I set this up before or after I moved? I went to 11 different schools, my favourite colour and food change often, and my husband took my last name, so he's the one with the maiden name, not me... (Maybe I'm odd, but all of this is true.)
The only secret question that has ever done me any good is "Type your own secret question and answer."

Bruce Schneier's article makes a very good point, too, that this is just a less secure, backup password. I'm not versed in internet security, but it seems odd to me that my bank account protects my atm access with a single 4-digit code, while Yahoo Groups went to incredible lengths to punish me and lock me out for having the audacity to forget my password.

*I'm sure this is a naive question,* but some major sites will simply send a reset link to the email on file when i forget my password (after making me verify that I'm a real human by copying text from a janky image)... what's wrong with that?

Cheers,
Sylvania

User Experience Designer

22 Dec 2008 - 5:34pm
Jean-Anne Fitzp...
2004

Setting up reasonable security questions is actually incredibly difficult,
because the answer has to be memorable and unambiguous, as well as
(hopefully) not "guessable". Like Sylvania, I am often thwarted by a set of
questions that either don't apply to me, or are ambiguous enough that I know
I won't be able to remember my exact answer -- exact same word, spelled the
same way, etc.

As this paper from last year's SOUPS conference pointed out, there is also
concern that many of the common questions relate to information that is now
readily available online:
http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf

Kind of funny aside: I work with a bunch of engineers who created one of
these systems, and their personal way of handling them is to answer *every*
question with the same nonsense string. What's your mother's maiden name?
Bob. Where did you go to high school? Bob. And so on. That way, at least you
won't get locked out because you forgot your answers. And you know, it might
be equally secure to sweating over trying to remember whether you entered
"Thomas Jefferson High School" or "T J High". (Of course, some systems now
prevent you from doing this, for your own good, of course.)

Cheers,

Jean-Anne

On Mon, Dec 22, 2008 at 11:52 AM, Dye, Sylvania <S.Dye at techsmith.com> wrote:

> Secret questions invariably thwart me, maybe because they always ask for
> something that I can't remember, that changes, or that doesn't apply to me.
> Which phone number - my cell or land line? Address - did I set this up
> before or after I moved? I went to 11 different schools, my favourite colour
> and food change often, and my husband took my last name, so he's the one
> with the maiden name, not me... (Maybe I'm odd, but all of this is true.)
> The only secret question that has ever done me any good is "Type your own
> secret question and answer."
>
> Bruce Schneier's article makes a very good point, too, that this is just a
> less secure, backup password. I'm not versed in internet security, but it
> seems odd to me that my bank account protects my atm access with a single
> 4-digit code, while Yahoo Groups went to incredible lengths to punish me and
> lock me out for having the audacity to forget my password.
>
> *I'm sure this is a naive question,* but some major sites will simply send
> a reset link to the email on file when i forget my password (after making me
> verify that I'm a real human by copying text from a janky image)... what's
> wrong with that?
>
> Cheers,
> Sylvania
>
> User Experience Designer
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

22 Dec 2008 - 5:57pm
SemanticWill
2007

Check out Jared's blog post about some of the sticky wickets re: security
questions:
http://www.uie.com/brainsparks/2008/12/19/but-what-if/

~ will

"Where you innovate, how you innovate,
and what you innovate are design problems"

---------------------------------------------------------------------------------------------
Will Evans | User Experience Architect
tel: +1.617.281.1281 | will at semanticfoundry.com
aim: semanticwill
gtalk: semanticwill
twitter: semanticwill
skype: semanticwill
---------------------------------------------------------------------------------------------

On Mon, Dec 22, 2008 at 5:34 PM, J. A. Fitzpatrick <jafitz at gmail.com> wrote:

> Setting up reasonable security questions is actually incredibly difficult,
> because the answer has to be memorable and unambiguous, as well as
> (hopefully) not "guessable". Like Sylvania, I am often thwarted by a set of
> questions that either don't apply to me, or are ambiguous enough that I
> know
> I won't be able to remember my exact answer -- exact same word, spelled the
> same way, etc.
>
> As this paper from last year's SOUPS conference pointed out, there is also
> concern that many of the common questions relate to information that is now
> readily available online:
> http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf
>
> Kind of funny aside: I work with a bunch of engineers who created one of
> these systems, and their personal way of handling them is to answer *every*
> question with the same nonsense string. What's your mother's maiden name?
> Bob. Where did you go to high school? Bob. And so on. That way, at least
> you
> won't get locked out because you forgot your answers. And you know, it
> might
> be equally secure to sweating over trying to remember whether you entered
> "Thomas Jefferson High School" or "T J High". (Of course, some systems now
> prevent you from doing this, for your own good, of course.)
>
> Cheers,
>
> Jean-Anne
>
>

22 Dec 2008 - 9:59pm
Andrew Boyd
2008

On Fri, Dec 19, 2008 at 8:41 PM, Sam Menter <sam at pixelthread.co.uk> wrote:

> Hi there
>
> Can anyone point me in the direction of sample security questions that
> could
> be used to verify a user's identity if they don't have an email address and
> have forgotten a password? EG Mother's maiden name, first school etc etc.
>
> I think best practice would be to let a users set the question themselves,
> but in this case we need to offer a set of questions for the user to choose
> from.
>
> Thanks for the tips,
> Sam
> <http://www.pixelthread.co.uk>

Sam,

I'm looking at this issue now myself - I'm part of a team that is designing
an online application system for an area of Government that has a lot of
clients from all over the world - and one of the Big Scary Things is
providing a set of questions that are meaningful and useful in different
cultural contexts. I know that other people have spoken over the years about
security questions being difficult to usefully internationalise - to
summarise, it is no use:
- asking someone their mother's maiden name if they have no concept of
either gender's name changing post-marriage,
- asking someone the name of their first school if they've never been to
school (and you don't want to make them feel bad about that),
- asking them their pet's name if they've never owned one, or
- asking them their favourite sport if they've never been allowed to play
one.

I'd have to support what others on this list have said about the answers
reflecting a single point in time - and that the answers (and ways/forms of
entering them) will change.

Overall, security questions smell a little to me like the
illusion-of-security-through-inconvenience that makes air travel such a joy
these days :)

Best regards, Andrew

--
---
Andrew Boyd
http://onblogging.com.au

23 Dec 2008 - 6:53am
Atul Thanvi
2008

I agree that security questions has always been a pain for the users
but then what ?

We need a alternate for this or a need to approach it in right manner
?

"William" also have a nice set of suggestion but its more
personalized approach and this can be good for limited amount of
users.

But, Again If you have a large amount of users, a secured & clever
automated system will be required to work for this purpose to help
your actual users without headache.....

Please go through this :
http://healyourchurchwebsite.com/2008/09/18/5-things-we-can-learn-about-password-recovery-questions-from-sarah-palin/

Nice post about security questions and how easily it can become a
failure if not approached in the right direction..

I hope it helps.

Thanks,
Atul

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=36577

21 Dec 2008 - 3:21pm
Jaanus Kase
2008

At http://cups.cs.cmu.edu/soups/2008/program.html, there was an
interesting paper on this: look for "Personal knowledge questions
for fallback authentication" on the page. It highlights many
problems with the security questions, but also offers some solutions.
It does not really contain a checklist of good questions, but it shows
examples of what definitely NOT to do. E.g questions about spouses and
vacation homes are inapplicable to people who aren't married or
don't have a vacation home.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=36577

5 Jan 2009 - 4:30am
Petri at otto.d...
2009

If possible, I would avoid using permanent security question. Some
banks use login system where user has a list of throw-away PIN codes
on paper and a permanent user code that has to be remembered. New PIN
codes are sent via normal mail well before they all are used.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=36577

9 Aug 2010 - 11:16am
Jeff Kraemer
2009

Just an update to this thread:

Meredith Noble has recently done a great roundup of the usability and security issues related to the design of personal security questions, and some useful tips on doing them well:

http://www.usabilitymatters.com/2010/03/15/the-design-of-personal-security-questions

Syndicate content Get the feed