In recent months the Internet has started to wake up to security just a little bit more, and probably forgotten all about it as well (read this, this, this and this if you need a refresher). The big problem that I speak of is those annoying questions that we have to answer when setting up a password for a new high security system. Those questions are supposed to be things that only you know. Which was great 20 years ago when we first started building these systems. Today however for most of these systems I can find out all the answers to these questions between Facebook and Twitter.
Recently I was setting up access to just another high security system and I was presented with this list of questions (I had to select three) as my security questions so that I can get my account back if (when) I forget my password.
Lets review these questions for a minute. Now some of these Facebook actually asks you to provide them so that they can put them on your profile (that annoying part at the top of your Facebook profile). The rest you can probably figure out about most people just by looking at the information that they provide during the course of using social media in their daily lives and with the groups on Facebook that they belong to. You add access to a public linked in profile and a little searching in public records and getting most if not all of these answers shouldn’t take you more than a couple of hours.
As the people that build these applications we need to take more notice of just how easy it is to figure out these questions. The questions that we are putting into the applications shouldn’t be so annoying as “Favorite Teacher’s Last Name”, which I’ve actually seen but they need to be stuff that is at least a little harder to figure out if these are the things that we are going to use to ensure that people are who they say they are.
Things like drivers license number or state ID number (for those without a drivers license) are a good start. They don’t change all that often (except when you move between states). Social Security Numbers basically never change so those aren’t a bad number to use (granted there are other issues with using a persons tax ID here in the US).
When you are designing these sorts of authentication systems, don’t assume that just because your paranoid ass doesn’t upload your entire live to Facebook, LinkedIn and Twitter that no one else does that either. People do, do that and they will continue to do that. If you want to actually provide a level of security for your customers, which I sure hope that you do as that is kind of your job, then assume that the customers will be posting the easy to figure out questions online for all to see so you might want to use some slightly more complex questions.