Are your “Security Questions” really “Secure”?

An opinion on the loopholes of security question caused by your users behavior…

Image by rawpixel.com on Freepik

2FA (Two Factor Authentication) / MFA (Multifactor authentication), by definition, is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). Source: https://en.wikipedia.org/wiki/Multi-factor_authentication

In Short, have more than one authentication mechanism so that if the first entry point is hacked (usually passwords are compromised), second is difficult.

This has resulted in many online web applications/ site introducing Security Questions Authentication(SQA). You choose the set of questions(3–5) and their answers. Next time you login (same browser / from new browser) ask a random questions from your set question bank. On correct answer, success!!!.

So what’s the problem then?

Problem 1: Your answers are still static / fixed

Heard about Keystroke Attack (https://en.wikipedia.org/wiki/Keystroke_logging)? SQA doesn’t defend you from keystore. Because your answer is fixed (it doesn't change).

Further, with target user in mind, you can even end up in phishing attack (https://en.wikipedia.org/wiki/Phishing), asking the same questions.

Again the problem is, it is fixed (meaning it is not randomized)

Major Problem 2: Choosing easy questions (Guessable)

A short survey conducted personally among a group of audience using banking websites on the type of security questions they chose. They preferred to select questions for which answers were very “EASY” to remember.

Easy comes at a risk. Lets check a few sample some security questions.

Also, Guess how many people know this information about you and from where. How?

1. How many languages can you speak? (Facebook / Instagram / LinkedIn)
2. What is the date of your marriage? (Facebook / Instagram)
3. In which month is your Spouse’s birthday? (Facebook / Instagram)
4. What is the name of your first child? (Facebook / Instagram)
5. Which year did you complete your SSC? (LinkedIn)

Isn’t this true? The answers to your secret questions, are published by you on the internet and available for anyone to view. The above is just using online techniques.

Ever imagined, the offline groups (colleagues, friend circles)??? where you reveal such information.

Atleast, the young generations have most of the answers already mentioned on the internet social sites.

Do you know why users select simple questions?: Thats because, one would get self locked-in if they forget the answer. And then the hassles of enabling your account. Also, doesn’t the new generation prefer self convinience?

What are the options that an Org. has/can deploy?

1. SMS/Email OTP based 2FA: SMS are delayed at times. Both are not app locked, incase your phone was on non-locked mode. Plus costs involved for every login.
2. Hardware Tokens: Awesome technology but complex operational issues plus higher costs for physical tokens
3. Social Login: Not many financial applications use them
4. Phone app authentication: Complete 2FA by logging into organizations mobile app. Low cost but limited to accessibility since not everyone downloads orgs. mobile app (e.g. not all internet banking users are mobile banking users)

OpenSource Solution

With these thoughts in mind, I personally have started solutioning and development of an opensource enterprise product, named “Authable” (https://github.com/godwinpinto/authable) that can help enterprises plug 2FA with phone based authentication mechanism into their existing applications. Current features planned include;

1. Time Based OTP (TOTP): OTP benefits with Hardware token features using phone (Your company App / Any Authenticator App) and my ped
2. QR Scan Authentication: Login with QR, just like Whatsapp
3. In App OTP / Regular OTP: Generate OTP from App (For those not sure about the TOTP algorithm :p)
4. And many more planned

Summary

Security Questions Authentication module for 2FA is a good and convenient way to protect your web applications but only if users were smart / not lazy enough to select questions of which answers are difficult to guess or answer in a way that one cannot guess (instead of answering your college name as Oxford University, you can write Ox)

Would love to know your views in comments of your opinions on Security Questions behavior.

Thanks for reading.