Do authenticaton questions really protect you?

With so much information shared online, authentication questions can be trivial for attackers to bypass.

By David Jeffers, PC World |  Security, authentication

What is your mother's maiden name? It seems like that question has been used as secondary authentication to verify identity since the dawn of time. Over time, the authentication questions have become much more diverse. Sites now ask for things like what city you went to high school in, or who was your favorite teacher, or what was your first car.

The problem with most authentication questions, though, is that the information can often be found with a simple Google search or two. Ten years ago, or even five years ago it might have been much harder to learn the answers to such obscure questions. But, in the current age of oversharing on social networks it's entirely possible all your intimate details are out there somewhere.

Have you ever participated in the Internet meme of answering a series of questions about yourself and then passing the results on to a group of friends? Many have. The purpose of the exercise is to share more information and get to know people better, but the fallout is that those questionnaires often target the same sort of semi-obscure information that authentication questions ask for.

The real problem with authentication questions is that they can be guessed or breached the same way a password can. An attacker may not know who your favorite sports team is. But, given a few contextual clues from your social networking profiles, conducting a search of your tweets on Twitter, or simply trying different sports teams out until the right one is discovered, the attacker can probably get past the authentication questions.

Like a username, the authentication question might seem like it adds a layer of security--and to some extent that's true. But, usernames are easily guessed, and authentication questions are becoming increasingly trivial to bypass thanks to social networking. The password should be the toughest part of this equation, yet many people still use their cat's name or "123456" despite years of security experts drilling about choosing better passwords.

One solution that might help a little is to make up a fictitious answer. For example, maybe you went to high school Omaha, and everyone online knows you went to high school in Omaha. But, for the purposes of your authentication security question you could change the answer to "Metropolis" or "onion rings" and just keep that information to yourself.


Originally published on PC World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question