go ahead, mac my day

a Macintosh girl in a Microsoft world

another instance of security versus usability

another instance of security versus usability

Rate This
  • Comments 8

Last weekend, when I logged in to my bank's website to pay my bills, I discovered that they have added a new security feature. Now, if they think that a login is potentially fraudulent (even if I type my password correctly!), they'll ask one of three secret questions. I had to select the secret questions and give their answers. This turned out to be a usability nightmare.

This is another one of those messy intersections between security and usability. I've written about one of these intersections earlier, specifically about Entourage not automatically downloading images from the email you receive. Security, in this case in the form of authentication, is difficult. I have approximately eleventy billion passwords to remember. What happens when I forget my password? In the interests of usability and reducing calls to tech support, many places have given us the curse of the secret question. I'm not going to go into the security issues associated with the use of the secret question, that's someone else's blog post. But I will discuss the usability issues associated with using secret questions.

Once upon a time, there was only one secret question: what's your mother's maiden name? I'm not sure why there are more secret questions now. One potential reason is that there's a significant chance that the user has the same last name as their mother's so-called maiden name. But the new list of secret questions is horrible. Either I can't answer them because I don't remember the answer or one doesn't exist, or my answer doesn't fall within their parameters.

Let's take a look at some common secret questions.

  • Someone's middle name (mother's, father's, sibling's) -- I don't have any siblings (my parents realised what a mistake they'd made and stopped before it got any worse). On my bank's website, there's an additional requirement that any answer be six characters or longer. My mother's middle name is four characters. This isn't uncommon. The current list of most popular baby names (according to the US Social Security Administration) includes Jacob, Ethan, Emily, Emma, and Ava. Add in other perennial favourites such as Peter, David, Lynn, and June. The problem exists in the other direction, too: if there's a maximum limit, long names like Fitzpatrick could be either not accepted or unknowingly truncated.
  • High school mascot -- This, like many other secret questions, is a rather American-centric question. Schools outside of America, from primary all the way through university, don't have mascots. My bank does business in Silicon Valley, with its high percentage of recent immigrants, so I was surprised that they had a question that so many users wouldn't be able to answer.
  • Pet's name -- My cat's name is Tipsy. He's 14. He's not going to live forever. What happens in five years when Tipsy is gone and I have another cat, but I've forgotten my password? A variant on this is to ask my favourite pet's name growing up. My parents never had fewer than four animals at any given my point. I'm lucky to remember any of their names, let alone be able to select a favourite. And let's not forget how many people know my pet's name; even Paris Hilton discovered that this was a bad question when her T-Mobile phone was stolen a few years ago and her account was hacked because the attackers knew her dog's name.
  • City of birth -- I always stumble on this one because I'm not sure if I should answer with just the name of the city, or the city and state. A variant on this one is to ask where one of your parents was born. Being a bad daughter, I have no idea which cities first heard my infant parents' cries. I could find out, but will I actually remember when pressed?
  • Favourite [food | film | artist | colour | holiday destination] -- Am I the only person for whom most of these answers change frequently? My favourite musical artist is Paul Kelly today, but several of my other favourites have albums coming out soon, which will make my favourite list re-shuffle again.
  • Street you grew up on -- Families are reasonably mobile. I can name four streets that I grew up on. Which one do I choose? The first? The longest? The last?
  • Phone number you remember from your childhood -- How is anyone supposed to be able to recite some phone number from their childhood? Lots of people are bad with telephone numbers. Other people remember lots of numbers from their childhood (parents, grandparents, multiple homes, ... ).

That's just the usability problems with these questions. That's ignoring that most of these questions aren't really that secure. Any name associated with my parents is a matter of public record, since all of that will be on my birth certificate. Everyone knows my cat's name. Mascots and city names are susceptable to brute force attacks.

I don't claim to have an answer here. I understand why sites want passwords, and I understand why users forget their passwords. I understand why sites want to use secret questions to help authenticate their users. I'm concerned that secret questions solve neither the usability problem of users forgetting their passwords nor the security problem of the institution wanting to protect themselves and their users from fraudulent log-ins.

Comments
  • Oh god your bank did that too? I was like "WTF, I get tasered if I make a mistake?" The only reason I know where my parents were born is because it's a single answer for all three of us: Chicago.

    One of the options was "Where do your parents currently live?" Seen as both my parents are dead, that makes for an interesting answer on many levels, or do I use Karen, who after my mom died said "Every boy needs a mother, you done got a new one."?

    Street I grew up on. Hell, you ONLY have four? I had that many by first grade, and I'm not thinking of the fact that one house was on a five-way intersection, and I remember none of the streets.

    Phone number I remember from childhood. okay, this one I do okay with, because even with moving, we managed to have the same one from 5th grade until I joined the air force. But hell, these days" Who knows" would be a valid answer. For my son, it's going to be my cell number, since i've had the same one since he was 5, and he's 13 now.

    Don't even get me started on "pick a secure password' and not allowing me special characters. Yeesh.

  • It turns out that financial institutions are (kinda) required to provide two-factor authentication, and most of them are using secret questions as their second factor.  Here's a 2005 article from Wired News:

    http://www.wired.com/news/business/0,1367,69243,00.html

    And here's something from from the government about authentication for online banking:

    http://www.ffiec.gov/pdf/authentication_guidance.pdf

  • Instead of trying to honestly answer the question, just treat the questions as if they were password prompts and the answers as if they were passwords.

    For example, if a question says, " favorite movie" enter something like "Ishtar" then you can answer that one every site.

    The answers do not have to be true, they just have to be something you'd recognize.

    Speaking of cats, http://pandagon.net/2007/02/25/how-do-you-figure-out-your-cat-loves-this/

  • I have seen at least one site which allows you to provide your own question, as well as your own answer to it.

    I have a few passwords which are probably as close to unbreakable as passwords of those lengths can be, because they're based on things I happen to remember from my childhood, but which are otherwise obsolete and there's almost no reason anyone would associate them with me, yet they're things I can remember easily.

    This probably wouldn't help someone who doesn't have my particular quirks of memory.

    Unfortunately I have far too many passwords to choose all of them using these techniques, so I only use them for the ones I really want to be secure.  I have a simpler but still fairly obscure approach for choosing my other passwords, and indeed I have some passwords ingrained into my brain (non-alphanumeric characters and all) that date back to at least 1986.

  • I know this is late, but I just did two sets of these and need to rant.

    I had to invent a wedding to deal with these idiotic things.  At least with that one I'll know for sure I invented answers and need to look them up, instead of randomly guessing.

    Two of my questions asked for grandmother's place or birth.  Or maybe middle name.  Who knows that stuff?

  • What these banks should really be doing is something along the lines of what ETrade is doing.  ETrade, after having some people in Eastern Europe place trojans on customer computers to log the keystrokes of their passwords, decided that having just "Something you Know" as the login factor was too insecure.  Keystroke loggers will log EVERYTHING, including these inane extra "Security Questions".  So the extra security they provide is actually a false sense of security.

    The solution that ETrade came up with is the use of true two factor authentication:  1.  Your username/password that you know in your head and 2. The entry of a SecurID Token passcode which changes every 60 seconds and is ONLY found in a hardware device that you keep on your keychain.  Thus, nefarious individuals would not only need to have logged your password and username keystrokes with a trojan horse keystroke logger, but would also need to have physically stolen your SecurID dongle to have access to the randomly rotating 6 digit code.  Number 2 is highly unlikely for someone in Eastern Europe who is trying to attack Western European or North American ETrade accounts.

    More banks should use these dongles, either the SecurID two factor rotating password dongles, OR the even more secure certificate based dongles like those from Aladdin Knowledge Systems (eToken).  They just refuse to do so because of the added cost (time or money) required to purchase and implement the technology.

    To exert my own pressure to enforce this little bit of improved security, I've starting asking my financial institutions to use those two methods of two factor authentication (or even three factor with the third based on a biological element, like fingerprint) if they want to do business with me.  

    Just a few thoughts.  :-)

  • Like Rosyna said, just use the questions as an opportunity to enter your own secondary password. If they ask where you grew up, you can enter Angelus. If they ask your mother's maiden name, use Angelus. If they ask what your pet's name is, use Angelus. The point is that this is the chance to make something up at random so even if people know or guess the actual answer to these questions, they will never be right.

  • which of my grandfathers' hometowns should I pick when you ask me "what's your grandfather's hometown?"

Page 1 of 1 (8 items)