I recently stumbled across this gem of a "security question" when trying to access my wife's account over at Vanguard:
Seriously? Her CURRENT best friend? You mean she has to change her "security question" answer whenever she changes best friends? Who in the world thought this was a good idea for a "security question"? Actually, who in the world thought these "security questions" were a good idea to begin with? The FDIC called for two-factor authentication a couple years ago to reduce the amount of account hijacking that was occuring due to the advent of internet banking. Since then the "security question" + password model has become an industry standard, which would be great if not for one small problem: that this isn't two-factor authentication, it's one-factor authentication implemented twice.
A proper two-factor authentication implementation consists of verifying two of the following from a user:
- Something s/he has (ID card, security token, cell phone, etc.)
- Something s/he knows (password)
- Something s/he is (finger print, retinal scan, DNA sequence, voice recognition, etc.)
Obviously, a user's password falls into the "something s/he knows" category. Unfortunately, a user's "security question" answer also falls into the "something s/he knows" category. And considering the questions are usually ones that any motivated hacker can get a hold of (e.g. what was your high school mascot? what was your mother's city of birth?), it's not even a very strong implementation of the "something s/he knows" factor. I am baffled at how this managed to become such a widely accepted model. Why not just require two passwords if you're going to do this? A second password would be at least as secure as a "security question" answer. Or maybe three passwords would be more secure? Or four? Or however many it takes to make it too inconvenient for a hacker to even bother trying to hijack our accounts?
Kudos to those financial institutions (PayPal comes to mind) who are actually giving their customers proper two-factor authentication via security tokens. Unfortunately, they are currently the exception to the rule. Hopefully proper security models such as these win out over the security via annoyance model that the current status quo seems to be heading towards.