Do Authenticaton Questions Really Protect You?

03.09.2012
What is your mother's maiden name? It seems like that question has been used as secondary authentication to verify identity since the dawn of time. Over time, the authentication questions have become much more diverse. Sites now ask for things like what city you went to high school in, or who was your favorite teacher, or what was your first car.

The problem with most authentication questions, though, is that the information can often be found with a simple Google search or two. Ten years ago, or even five years ago it might have been much harder to learn the answers to such obscure questions. But, in the on social networks it's entirely possible all your somewhere.

Have you ever participated in the Internet meme of answering a series of questions about yourself and then passing the results on to a group of friends? Many have. The purpose of the exercise is to share more information and get to know people better, but the fallout is that those questionnaires often target the same sort of semi-obscure information that authentication questions ask for.

The real problem with authentication questions is that they can be guessed or breached the same way a password can. An attacker may not know who your favorite sports team is. But, given a few contextual clues from your social networking profiles, conducting a search of your tweets on Twitter, or simply trying different sports teams out until the right one is discovered, the attacker can probably get past the authentication questions.

Like a username, the authentication question might seem like it adds a layer of security--and to some extent that's true. But, usernames are easily guessed, and authentication questions are becoming increasingly trivial to bypass thanks to social networking. The password should be the toughest part of this equation, yet many people still use their cat's name or "123456" despite years of security experts drilling about choosing better passwords.

One solution that might help a little is to make up a fictitious answer. For example, maybe you went to high school Omaha, and everyone online knows you went to high school in Omaha. But, for the purposes of your authentication security question you could change the answer to "Metropolis" or "onion rings" and just keep that information to yourself.