What is your mother’s maiden name?
A while back I spent some time researching into several strong authentication methods that are available in the online world. In order to get real user experience, I ended up creating online accounts with several banks and financial institutions . I got to try out various methods including OTP, biometrics, device fingerprinting etc. However, I found that every bank had something in common. They had all implemented some form of KBA (knowledge based authentication), also referred by some as challenge-response or Q&A. It was either implemented as a secondary authentication method i.e. give me your password and then tell me the color of your eye. Or as a means for back-end authentication (either to recover the password or to register my computer).
So….when we first launched SignOn.com with Infocard authentication (and account recovery via email) , we received some feedback that the site is only as secure as the weakest link. Hence in the follow up release, we upgraded the account recovery to use KBA.
We spent some time coming up with the right questions for the users. Should we ask
- What’s the name of your first spouse? OR
- What’s the name of your first love?
The difference is that the answer to the first question is a “fact”. And the answer to the second question is an “opinion”.
To illustrate this further, here are some “fact” based questions:
- What is your mother’s maiden name?
- What is the color of your eye?
- What was the make of your first car?
- In what city were you born?
And here are some “opinion” based questions:
- Who is your favorite sports team?
- Who was your childhood hero?
- What is the name of your best friend?
- Who is your favorite movie star?
It’s a lot easier for others to find facts about you. And hence the ‘fact’ based questions are a lot less secure than the “opinion” based questions. However, based on my experience and others that I have talked to- it seems when presented with a choice, most of the users choose the ‘fact’ based questions…simply because they are easier to answer and don’t make you think.
To me, it seems like another area where security and convenience are at odds. I’ll be interested to hear if others have an “opinion” on this.
CardSpace, Identity, Infocard, SignOn.com, Strong Authenticaiton | Ashish Jain | 
January 24, 2008 2:17 pm
Subscribe
You can always count on Bruce Schneier: http://www.computerworld.com/securitytopics/security/story/0,,99628,00.html
I’d say that recovery via email (email them a random string that they have to reproduce back at the site, if their email isn’t secure, they have bigger problems) is more secure than a secret question. The secret question answers are most likely going to be dictionary words, therefore much less secure than a good password.
My problem with “opinion-based” questions is that I don’t have hard-and-fast answers to a lot of them. If a site asks “who was your childhood hero?”, and I return a year later, I may not be able to remember what I chose!
This always reminds me of one question I came across in the documentation of a certain Card Management System.
What is your favourite mother’s maiden name?
An consequence of cut-and-paste perhaps, but a relevant question in some parts of the world!
No, I am not telling which CMS it was;-)
I think KBA is overall weak security to begin with (basically 3 extra passwords that are extra easy to crack). The problem with opinion-based security questions in particular is that though it doesn’t seem to add much more than a very thin layer of security to the user, it can make it near impossible to a user him/herself to authenticate. It is very possible (quite likely even) that the user just doesn’t hold the same opinions as when the signed up, and may not be able to remember their favorite rock band from two years ago. But, they will probably remember things like their first pet’s name, which I don’t think would be held by any public records.
Of course, their chances of not getting hacked would be much better if their first pet’s name was “+-00PX’p9gr!!!”.
@Ashish, I have to say I agree with Jennifer here. KBA answers can be key logged just like a password. If I were trusting a site to be my “walled garden” for accessing all of my sites, I would want it to be more secure than even my bank. Outside of biometrics and hardware based OTP’s Vidoop is the only industrial strength security free and available to websites, IdP’d and individuals.
[...] with one set of credentials, if/when they get stolen, the thief has access to EVERYTHING. Security and convenience are often at odds. it will be interesting to see how OpenID addresses these concerns as digital security gets more [...]