Why Security Questions Are Bad

When it comes to security, keeping your personal or financial information safe using only a password is bad. Many critical services like banks, wireless providers, and cable companies add another layer to that security by posing a security question to validate that the person logging into an account is really that person. As an example, someof these questions can include:

  • In what city did you meet your spouse/significant other?
  • In what city does your nearest sibling live?
  • What was your high school mascot?

This practice is even worse as many of these predefined questions can be either guessed or outright discovered by doing a little bit of information gathering from social media.

The point of adding a security question to the login is to provide multiple factors of authentication, or in this case two-factor authentication. These factors of indentifying you include:

  • What you know
  • What you have
  • Who you are

Although, in order for the security authentications to be considered multi-factor, each validation has to be categorized differently. The problem with services using a password and a security question lies in the fact that both validations are a knowledge check (what you know). So in reality, all services that tout high security practices and proudly offer two-factor authentication, with the inclusion of a security question, are flat out wrong. This is expecially critical moving forward as more people have most of their lives documented online. From “What was your childhood nickname?” with the answer in your twitter handle, to “In what city or town was your first job?” memoir photo of your first paystub from highschool posted to facebook (even then, it was probably the same city/town you grew up in).

Jack Wozny
IS Security Operations Engineer

I’m a computer systems engineer! I love working with technology, tinkering with and optimizing new systems.

comments powered by Disqus