Security question: What questions do you ask?
Working on a save quote feature for our new website, one of the security requirements is to ask a secret question and obtain a value from the user.
Does anyone have suggestions on the type of Security questions to ask?
"Secret Question" to prevent spamming (like CAPTCHA), or secret question to recover a password?
As an additional security mechanism. Some questions I have included so far: - 'What is your mothers maiden name?' - 'What was your pets first name?' - 'What primary school did you go to?' - 'What is the last 4 digits of your drivers licence'
From a globalization point of view, *maiden name* is not a meaningful concept in countries like Spain and Italy where women never change their surname with marriage, and it sounds discriminating against those born to unmarried mothers.
I really think this question should be posed on security SE. There are lots of people who contend that security questions amount to a backdoor for accounts. If you're designing something from scratch you're probably better off implementing two-factor authentication.
@xinthose - Thanks for the upload, although your JSON file is not valid. All the values for "Age Range for all questions" need to be strings but they are not enclosed in quotes.
So users will sign in with login name, password, and the answer to a question? (My bank does this and I hate it.)
This question, as asked, is not a UX question but a security question (see what I did there?). The answer is to not use security questions as an alternate account access vector!
Why not allow the user to enter their own security question?
The question itself doesn't matter, it's only there to jog the memory of the user. If you let the user type their own question, they would be more likely to remember the answer and you don't have to try and think of a lot of different questions to cover all situations a user might be in (ie. they never had a pet, don't know mother's maiden name etc).
Thanks for your input Steve. Not a bad idea at all! I would still like to have alternative options available to the user to select predefined questions from a picklist.
This is better from a security perspective instead of using the typical questions. The user can use a custom question obvious to him/her, but no one else. See the Sarah Palin email break.
I tend to find that users aren't terribly security-conscious about these questions, and as a user, coming up with a decent security question can be difficult (and if you're attempting to sign up or get some work done, a bit of a pain - two extra password-related hurdles to jump, lucky me!). So you'll find users throwing together the most simplistic questions they can think of just to get out of the form asap; or just typing in "classic" security questions they've encounted elsewhere (thus tripping over Az Za's problem)
To be honest, I'm personaly not a fan of the security question model in general. Say my question was "First dog's name", and I'm now staring at the recovery prompt. I'm thinking "when I created this answer 2 years ago, did I type Fido or fido? Does case even matter? When I answered, did I put the first dog I *ever had* or the first one I *consciously remember*? So maybe it's Rover. Or rover. Hmm." Even worse with multi-word answers: "Did I put MyTown School or MyTown Junior & Infants, or was I in a rush and just hammered in MyTown?"
The question should be: "think of a question only you can answer - and you still can answer in five years time". I am not certain if I want to aks my users that.
I've found that people are either confused when you ask them to ask then answer their own questions. This then stops them from completing registration. That is the biggest issue. They can also make up bad questions... things that anyone could find out with extremely easy information to find out. But sure it's a way to go. But I think from my first point you will lose users this way.
This is a tempting approach, but it's depressingly common for people to make up questions like "How do you spell 'password'?" etc.
Letting the users set their own questions can be a HUGE security risk. Users are lazy, they don't want to remember, many of them will just use something like: "What's 1+1?", "What's my name?". You can't expect users to be aware of the security risk. I mean that's why many sites require you to set a complicated password, to prevent lazy users from using "1234"...
@Kweamod complicated passwords can be worse in a way. How often have you seen people write down their passwords to comply with onerous requirements. It's far better to have a longer, but simpler, pass phrase. Also, and I have no evidence for this, but I imagine most users these days are reasonably security aware and wouldn't set such an easily guessable security question.
The term "security questions" is a misnomer. Security questions create a potential hole or breach in security by providing ways for unauthorized users to gain access if the answer can be discovered. Hopefully, security experts will find better ways of retrieving forgotten passwords or verifying identification during login, but until then security questions will likely prevail.
Thus, security questions have both benefits and liabilities. Poor questions create security breaches and confusion and cost money in support calls. Good security questions can be useful in the current environment, but are not common.
However, there really are NO GOOD security questions; only fair or bad questions. "Good" gives the impression that these questions are acceptable and protect the user. The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.
Social networking (Facebook, MySpace, Twitter, personal blogs, LinkedIn) are creating more of a risk for security questions. People are generously telling all about themselves, their history, likes, favorites, and more. It easier now to find information on people.
But to actually answer your question, that site provides a list that they say are better than others that meet the criteria of:
Good security questions have four common characteristics. The answer to a good security question:
- cannot be easily guessed or researched (safe),
- doesn't change over time (stable),
- is memorable,
- is definitive or simple.
- What was your childhood nickname?
- In what city did you meet your spouse/significant other?
- What is the name of your favorite childhood friend?
- What street did you live on in third grade?
- What is your oldest sibling’s birthday month and year? (e.g., January 1900)
- What is the middle name of your oldest child?
- What is your oldest sibling's middle name?
- What school did you attend for sixth grade?
- What was your childhood phone number including area code? (e.g., 000-000-0000)
- What is your oldest cousin's first and last name?
- What was the name of your first stuffed animal?
- In what city or town did your mother and father meet?
- Where were you when you had your first kiss?
- What is the first name of the boy or girl that you first kissed?
- What was the last name of your third grade teacher?
- In what city does your nearest sibling live?
- What is your oldest brother’s birthday month and year? (e.g., January 1900)
- What is your maternal grandmother's maiden name?
- In what city or town was your first job?
- What is the name of the place your wedding reception was held?
- What is the name of a college you applied to but didn't attend?
- Where were you when you first heard about 9/11?
Are the questions listed researched/debated upon, or are they merely the author's opinions?
Don't just use the standard questions like "mother's maiden name", "first pet's name", etc. They're widely used, and using them means you're forcing users to have the same security answers across different websites. That's a security hole, just like reusing passwords is.
I concur with Steve's recommendation of allowing users to make up their own questions. But if you really want to offer predefined questions:
- The answer should not be easy to find: Things like "Mother's maiden name" and "Hometown" are likely to be found with a web search.
- The answer should be unambiguous: If the question is "What was the name of your first school", then I may well forget whether the answer is "St Trinian's School", "Saint Trinian's", "St. Trinian School" or some other variation.
- The answer should be hard to guess: "Favourite colour" is no good because there's a good chance the answer is "blue", and otherwise it's probably just green, red or purple. Even "Name of best friend" has a decent chance of being "David", for example.
Foreword: I really, really, really think you should go with Steve's answer.
Supposing that you choose to ignore that option, and are going to be asking a predefined list of questions, PLEASE make sure that you choose questions that cannot be easily resolved with a Google search of the person's name and the question.
Prior to Google existing, finding a mother's maiden name could be difficult. Now, it's pretty simple: person's name + white pages + mother's name + google search = mother's maiden name. In order to determine better questions, pick something complicated but easily remembered, that can't be simply searched. Some questions off the top of my head are:
- What was the second best birthday present you ever got?
- Why is the sky blue?
- What is your favorite color and favorite animal?
The purpose behind these questions is to make the question and answer secret. Most of the questions that come predefined will be answerable with a simple Google search. Your job is therefore to make sure that the secret questions used by the user aren't easy for an unauthorized party (with reasonable search prowess) to answer.
What does "Your job is to make sure that the question's aren't easy to ask." mean. I think you want something that is easy to ask, easy for the user to answer, and difficult for others to answer.
To emphasize a the security consideration involved in using a secret question and answer. Particularly, in the event of the secret question being seen by an unauthorized party, it should be difficult for the unauthorized party to determine the answer but trivial for an authorized party. Suppose the secret question is "Why is the sky blue?"... an unauthorized party would have difficulty narrowing down the answer whereas the user would likely have a fairly distinctive answer.
Thanks for your input emory and Az Za. The secret question/answer is to compliment other questions we ask, including DOB and phone number as well as a token that is generated to their email, which is unique. So for this purpose, we need something that will be easy to remember. A question such as "Why is the sky blue?" will be a bit difficult for the user to answer time & time again as each time their answer is guaranteed to be different. I think I have enough to go on to elicit requirements to our dev's. Thanks for all your input!
Everything that everyone here has said I agree with. Making sure that the questions are not something that someone can easily Google, easy to guess, or unambiguous.
I believe having a create your own question is a good idea because someone can create a question that is not a common security question, however the downfall of this is you are not driving how secure the question is as well as stopping the user from creating something like this...
Question: "frog" Answer: "joe"
People may tend to get lazy and create extremely unambiguous questions that no one would ever remember. So I believe it would be important to have both a list of questions and the option to create your own question.
Thanks Jason! You've made a valid point. The secret question/answer will compliment other criteria. Even if an authorised individual guesses the answer to the secret question, they would still have to correctly input four other sets of criteria.
I think a pre-defined list is the way forward, I've solved this problem about security on my current project by asking the user to fill in three security questions. So a combo box (with all pre-difined questions - you can find good ones with a quick web search) and an input field underneath to fill in the answer.
Chances of guessing one are possible, chances of guessing all three highly unlikely.
Let's add what not to do, and why. For example the California Franchise Tax Board restricts selection to things like:
What is your favorite color? What is the name of your favorite cancelled TV show? What is your favorite board game to play with friends?
The answers to these questions can change over time. It might be a marginally OK choice for a site where user logs in often, and can see and adjust the answers. It's a bad choice for a site where the user logs in infrequently.
Also bad are questions asking for parts of other secure documents:
Last four of SSN Third digit of driver's licence
As a theft of that data from your firm could compromise the user's security on other sites.
You have alternatives, such as:
- Having the user upload a photo, which is sent back to the user to verify login (to prevent spoofing)
- Having the user enter a phrase that gets repeated back to validate login (again, spoofing).
- Having the user enter their own question and answer, perhaps with some complexity requirements.
- Various callback and text message systems (with the weakness that someone stealing a mobile phone generally has access to both email and text messages for the person they are scamming).
@Steve nailed the answer above. Can you think of your own question, with an answer that is super obscure? Probably yes. For example consider "where did Mary Jane hide my underwear that day in high school?". Be fuzzy in terms of an answer match, as these are human questions with human answers. Definitely accept any case (e.g. "The principal's Office") and maybe even partial string matches (e.g. "principal office").
what is my name ? who is me ? who is my girlfriend ? where i live ? what is my favourite colour ?