Why Security Questions Are Bad

When it comes to security, using only a password to protect your personal or financial information is no longer enough. Many critical services like banks, wireless providers, and cable companies add another layer to that security by posing a security question to validate that the person logging into an account is really that person. As an example, some of these questions can include:

• In what city did you meet your spouse/significant other?
• In what city does your nearest sibling live?
• What was your high school mascot?

But here’s the thing, this practice is not as secure as it seems. Many of these predefined questions can be either guessed or outright discovered by doing a little bit of information gathering from social media.

The point of adding a security question to the login is to provide multiple factors of authentication, or in this case two-factor authentication. These factors of identifying you include:

• What you know
• What you have
• Who you are

Although, in order for the security authentications to be considered multi-factor, each validation has to be categorized differently. The problem with services using a password and a security question lies in the fact that both validations are a knowledge check (what you know). So in reality, all services that tout high security practices and proudly offer two-factor authentication, with the inclusion of a security question, are flat out wrong. This is especially critical moving forward as more people have most of their lives documented online. From “What was your childhood nickname?” with the answer in your twitter handle, to “In what city or town was your first job?” memoir photo of your first paystub from highschool posted to facebook (even then, it was probably the same city/town you grew up in).

But don’t worry, there are better alternatives to security questions. Instead of using security questions, there are other forms of two-factor authentication that are more secure. For example, using a one-time code sent to a user’s phone number or email address, or using a physical token like a security key. These methods provide an additional layer of security that cannot be guessed or discovered through social media.

It’s also important to note that guessing security questions can be risky. An attacker could use public records or social media to figure out an individual’s mother’s maiden name or the name of their high school. This could lead to serious consequences if a user’s account is compromised because of weak authentication methods. They could lose access to sensitive personal or financial information.

And lastly, the future of authentication is important to consider. As people continue to share more information online, the challenges of authentication will evolve. It’s crucial for services to stay ahead of these challenges and to constantly improve their security practices.

So, don’t trust your personal or financial information to just a password and a security question. Look for services that offer multi-factor authentication and stay informed about the latest security practices.