The Challenge of Security Questions
Jackson Shaw just wrote about a website called goodsecurityquestions.com. As the name indicates, it’s a site that purports to distinguish between good and bad questions to employ when setting up for your identity re-verification challenges (for when you forget your password or need to execute a high-value transaction, for instance). The same site also (correctly) points out that there are no good security questions (due to the inherent security issues in it), just better ones, based on the following criteria:
- The answer cannot be easily guessed or researched [Safe]
- The answer doesn’t change over time [Stable]
- The answer is memorable [Recall-ability]
- The answer is definitive or simple [Simplicity]
Good criteria to remember next time you are deciding between “What is your pet’s name?” and “What was the name of your first stuffed animal?”.
Of course, the service you are interacting with needs to allow you to choose from a large enough set or supply your own questions so you can adhere to this principle. And a highly sensitive application should go beyond just plain security questions. While most services are moving towards simpler yet more secure mechanisms – emailing the user short-lived password reset tokens, for instance – there are many cases where you still need a challenge-based mechanism (like when the forgotten password is the one used to access your email).
Knowledge-Based Authentication has gotten increasingly sophisticated over the last few years, and enterprises looking to leverage this can do better than just providing their users a few hard-coded questions to choose from. Oracle Adaptive Access Manager 11g brings features like Answer Logic (which employs fuzzy logic to increase the usability of security questions) and One-Time Passwords (delivered via SMS, email, IM or voice) into the mix, while also adding real-time risk analytics to make the overall process more secure, reliable, usable and cost-effective.
And all of this is delivered as a service so that enterprises can incorporate KBA into their various applications as needed. In fact, as part of the suite-wide integration design theme of Oracle Identity Management 11g, OAAM now has out-of-the-box integrations with Oracle Identity Manager and Oracle Access Manager. So if you deploy the suite, the real-time risk analytics and risk-based challenge mechanisms of OAAM are automatically leveraged by those other products. It is a sweet thing to behold.
Even as we sound out the call to kill passwords (an NPT for passwords; I like that), KBA will continue to be a critical tool in the identity proofing arena. So keep an eye out for all the innovation that will take place in this field.
About The Author
i think all password based systems should be changed to use ZKPP : http://srp.stanford.edu/demo/demo.html
Many financial institutions now want their online users to setup challenge questions. I find these questions to be annoying for a number of reasons. First, you have to setup multiple questions at each FI, which means you soon have a sizable number of these things to manage. Second, the answer you give must match exactly to the answer you originally gave (Hmmm, did I say my first car was a Ford Mustang, or just a Mustang?). Third, the FI prevents you from logging in with the usual loginID and password until you setup the challenge questions, but makes no attempt to first verify that it's really you. So someone who has stolen your loginID and password could set the challenge questions and freeze out the legitimate account holder.
I much prefer the method of receiving a one-time code via email (or SMS). It's so much less cumbersome.
Problems with security questions is no less than problems with password itself – questions like 'what is your favorite movie' may not have consistent answers. Trying to figure out questions satisfying the mentioned criteria is difficult too – as satisfying the criteria is subjective. If org decides the questions, they force the users to make stupid choices, if the users make the questions, they make stupid choices. Meanwhile, there is nothing that stops the bad guys more than what passwords did.
There is no easy answer here than to punt the security to some other system – like a personal email that was verified earlier. Within an org, they can have automated systems that send temporary password thru SMS, or call the user at their desk and deliver the temp password, or use some other pre-established delivery mechanism.
The Knowledge based authentication that you mention is called “static” KBA or shared secrets. There are many risks involved using this type of KBA both for the consumer and the business. Instead, companies should generate questions dynamically. Dynamic KBA is much more secure than static KBA and it can be used both for account origination and step up authentication in password reset situations, or high risk activity. Yes, there are still some security concerns with dynamic KBA, or any “question” product but the reality is dynamic KBA is the highest level of automated verification that exists today that can tie an identity to a device/caller/transaction/token/OpenID. If you want to learn more about the dangers of static KBA, you can read about it in this blog post about how dynamic KBA could have stopped Palin's yahoo account from being hacked. http://blog.idology.com/2008/09/19/how-dynamic-…
Agreed in principle. However, as in all cases, security solutions need to be set up in tiers based on cost-benefit analysis. A system that leverages out-of-band channels like voice and SMS is definitely superior, but also cost-prohibitive for certain customers.