Recently, I have been working with some clients on the creation and implementation of security questions. The password reset questions, or “security questions” are sometimes overlooked in the design and implementation of IAM Programs. Here are a few of my thoughts, and success tips for addressing the question of security questions.
First, let’s define what security questions are, and what their purpose is. Some organizations overthink this, and of course, some underthink it. Whichever side you are on, it is good to start from the premise that security questions in Identity Management Systems, or IdMS exist for one and only one purpose: password reset. Maybe that’s my segue to talk about what security questions are not:
- Security questions are not there for the purpose of collecting reams of personal data
- Security questions are not there to determine your job status, residency status, birth legitimacy status, or otherwise
- A means of tracking you down
Some organizations spend an enormous amount of time analyzing security questions from a risk, legal, or “should we really have that person’s personal details” perspective, as opposed to “what is the balance of security and usability that will get this person’s password reset when he or she has forgotten it for the fifth time and is consuming Helpdesk budget with constant reset calls…” Over the years, I have worked through a number of client concerns and objections to stock, or retail security questions. Here are a few of the common objections:
- That question could be used to determine a person’s residency (legal/illegal) status
- That question is “too personal”
- That question is “too general”
- That question is “too specific”
- That question is too weak or easily guessed (Think Palin)
- We are asking the person too many questions
- We are not asking the person enough questions
- We just don’t like the list of questions you gave us
- These questions could be used as a social engineering attack
My opinion? There are no absolutely perfect security questions, or groups of questions. Any question, or series of questions, can be picked apart on a number of different levels, especially legal and cultural (not to mention security.) Here are a few of my suggestions for working through the security/password reset questions exercise:
- Ensure that security questions, also known as password reset questions, or “forgot password” questions, are consistent with the goal. If your goal is to reduce password-related Helpdesk calls by 75% for example, your question set should be consistent with that goal.
- Consider your audience. Is your audience global and disconnected? Local and integrated? Old and young? Male and female? Are questions likely to offend, or potentially lead to misinterpretation? Remember too that part of your goal is to improve service for the end user. So don’t make him or her think too much about the questions. Questions should favor ease of recall for the user, vs. security complexity.
- Consider your legal requirements. In some Identity Management Systems, answers to security questions may be stored in clear text within the database. Thus, asking people for their Social Security Number, or Passport Number may (and likely will) be a legal violation of one form or another.
- Always keep in mind the balance of Security and Usability. Each is important to getting the job done.
- When using security questions, consider providing more choices, requiring more mandatory answers, and a higher count requirement for reset requests. For example, if your IdMS presents 20 potential questions to a user during the registration process, require 8 questions to be completed. (But always encourage more.) For “forgotten password” situations, consider requiring answers for 5 questions, and lock the account after 3 failed attempts. This will address most security concerns, and make the password reset process as secure as it can be without going up to the next level (see #6)
- Last but not least, consider something stronger than security questions. Security questions are popular because they allow for fully automated system resets, without the overhead of PKI certificates, hardware tokens, or biometric authentication. However, the question method may be inappropriate for some situations. In these instances, consider adding biometric authentication, or a hardware token. Of course, if your requirements are at that level of stringency, then you likely would not be still using passwords for authentication. But alas, that is a topic for another time
Question for discussion? What do you consider to be good security questions? Have any favorites?
Links Business Group LLC offers a full suite of Identity and Access Management solutions which leverage the infrastructure you already have, save time, save money, improve service delivery, and create happy auditors and users. Call today for an initial complimentary consultation at +1 877 769 8938.
All the Best, of Identity Management Success
Corbin H. Links, President
Links Business Group LLC
