Although this piece of research is a few years old, we did not fail to notice that companies have not done much in order to improve the selection of security questions that their users have to choose from in order to keep their personal banking and other sensitive information safe from intruders. For this reason, we decided that this paper was still relevant and would be included in our thematic research.
This paper explores the password retrieval mechanisms of personal banking websites and other services such as Facebook, which heavily rely on security question authentication.
What was found is that in most cases, users were only given a limited choice of questions to choose from, which were generally weak and left them having to choose security questions to which their answers could be guessable.
These questions were divided into the subcategories, with some categories showcasing the weaknesses that some of the most common security questions could have:
Guessable
Many security questions were found to be easily guessable by people other than the appointed user.
Attackable
Questions such as ” Where was your first job” include information which can be found publicly about a person, perhaps on a job application or online profile such as Linked In. This mean that a quick web search about an individual could put their privacy and security at risk.
Automatically Attackable
“What year did you graduate from college” is a common security question for social media applications such as Facebook. The nature of this question could mean that the answer could be retrieved through an automated way as such information is routinely publicly visible on Facebook profiles.
Overall, this paper highlights that most secure question systems used by online banking and other companies which may handle sensitive information about individuals are suprisingly weak and in need of re designing. Twelve years later, this still remains a concern.
Source:
Rabkin A. (2008). Thematic Research: Personal knowledge questions for fallback authentication: Security questions in the era of Facebook. Proceedings of the 4th symposium on usable privacy and security, pp 13–23
Interaction Design Blog 