The Persistent Idiocy of Security Questions

The "Pet Peeves Rants" are periodic blog posts about annoying and often non-obvious observations about privacy, security and more generally in technology. No entry is aimed at anyone in particular, as most will reflect repeated sightings of simple idiocies that seem to be normal. Accept them as entertainment, even if you happen to be among the guilty.

The least novel idea for user authentication is a set of security questions.

Users input answers to service providers for questions like "What is your mother's maiden name?" Or maybe something like "What was your first pet's name?". Then boom. You're authenticated with this second measure, and you can now reset your password.

It shouldn't take more than a minute to pick the idea apart.

Security question answers are like passwords but instead of length and complexity requirements, they are common answers to common questions. And those answers are often discoverable online or with any familiarity with the user. Think of them as passwords that your family and friends probably can guess, or any amateur sleuth with a keyboard.

Most answers don’t change. The name of your first pet, your mother's maiden name, your kindergarten teacher... these are not answers that evolve over time.

This is dangerous and delusional security, not an enhancement.

We have spent decades advising users not to use pet names and guessable words as passwords. So now some providers are demanding users use pet names for what is essentially a password?

Savvy users might enter long complex answers with no relation to the true answer, as if they are passwords.

I fully realize that this Pet Peeve entry isn’t some remarkable discovery by yours truly. NIST 800-63-3 does clearly state “Knowledge-based authentication, where the claimant is prompted to answer questions that are presumably known only by the claimant, also does not constitute an acceptable secret for digital authentication.” Yet there are even major financial institutions that persist in this idiocy.

The foolishness of security questions shouldn’t even have to be mentioned. It should be obvious. What are these providers missing?

Postscript: Just before we pushed this blog entry, I happened upon an Okta blog post from March 2021 about security questions. As one of the leading identity management providers, Okta has a legitimate interest in lambasting security questions with all guns blasting. Yet if you read that blog post, you would think security questions aren’t completely contradictory to their business if done “correctly.” The post has a section on “Examples of good security questions.” If this blog post made it through the Okta blog review process, and anyone at Okta stands behind it, then something is very, very wrong. Would you trust an airplane manufacturer that was convinced pixie dust can be as effective as aerodynamics and jet propulsion to move a plane through the sky?

Thank you for reading ClearOPS Bridging the Gap between Privacy and Security. This post is public so feel free to share it.

About the author: George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.

About ClearOPS. ClearOPS provides security program management software to security experts powered by Generative AI. The platform is rooted in assessments, such as gap, security, privacy, RFPs and risk. Once a knowledge base is formed, all assessment can be automated or used to automate other features. Inquiries: [email protected]