Click the comments link on any story to see comments or add your own.
Subscribe to this blog
18 Jul 2013
Arthur in L.A. asks:
Why do online accounts like the one at my alarm company keep adding extra security questions? The choices always require either a subjective answer ("What's your favorite movie?") or, in a two-person household, more than one answer ("In what city did your parents meet?")
We all know that passwords are a terrible security mechanism. People forget them, and bad guys are ever better at guessing them. So there are basically three ways to authenticate a person: something you know, such as a password, something you have, such as a driver's license, and something you are, a biometric. Two-factor authentication schemes are much more secure than single factor.
We use two factor authentication all the time. When someone checks your ID using your driver's license, the license is something you have, and the picture of you on it lets people check what you look like, something you are. When you use your bank card at an ATM, the card is something you have, and the PIN is something you know.
In the computer biz, two factor authentication works pretty well, but it's expensive. The government's Global Entry program which lets you cut the queue at airport immigration has a machine where first you insert your passport, something you have, and then it scans your fingerprints, something you are.
Banks are switching to two-factor due to rampant phishing and account theft. I put some pictures of the things I have from my bank, to log into my various bank accounts here.
Those work pretty well, but they are expensive, several dollars each, and managing them is expensive, e.g., one of them arrived broken, so I had to call and have them send me another one, and they have elaborate reissue protocols for when you lose one, asking you about what accounts you have and some recent transactions, something you know, and mailing the new one to your address they have on file, something you are.
So some security auditor told your alarm company that they have to do two factor authentication, they priced actual two factor and said, well, forget spending that much money.
At some point some clever person had the idea that rather than doing actual biometrics, they could ask biometric-style questions and pretend that was a something-you-are second factor. That's why the questions are all about personal stuff which you would presumably know even with the alarm whooping in the background. Apparently many security auditors will accept this as a second factor. Problem (of the audit, not of security) solved.
Needless to say, this is a really stupid idea. Anyone with two brain cells to rub together has figured out that these are actually just more passwords with inane prompts, particularly after dialogs like these:
WHAT IS YOUR FAVORITE COLOR?
ANSWER MUST BE AT LEAST FIVE CHARACTERS
WHERE WERE YOU BORN?
ANSWER MUST CONTAIN ONLY LETTERS AND DIGITS
Another reason it's stupid is that many of the questions, like where did you go to high school or what is your pet's name, can be easy to answer online in the Facebook era for people foolish enough to use answers that match the questions.
So it's just stupid, but good luck getting them to change it.
There is a surprisingly good one-factor scheme, passphrases. The new online bank Simple uses it. Rather than a password, you make up a pass phrase like "popcorn feels odd when you step on it barefoot". Typing a sentence is much easier for your fingers than typing password gibberish like x#4=?N:6 and it turns out that the attacks that let bad guys crunch through all possible 8 character passwords aren't practical on eight word phrases. It's not an ideal solution, since it's stil subject to phishing, where a bad guy impersonates the bank so the victim types in the pass phrase. It also still has the reuse problem, where people use the same password or passphrase on several accounts, but it's a lot easier to invent and remember phrases related to the account like "my white bank card has a round woven thing" (for the logo on the Simple debit card) than to come up with many different random passwords.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.