Do Authenticaton Questions Really Protect You?

With so much information shared online, authentication questions can be trivial for attackers to bypass.

What is your mother's maiden name? It seems like that question has been used as secondary authentication to verify identity since the dawn of time. Over time, the authentication questions have become much more diverse. Sites now ask for things like what city you went to high school in, or who was your favorite teacher, or what was your first car.

The problem with most authentication questions, though, is that the information can often be found with a simple Google search or two. Ten years ago, or even five years ago it might have been much harder to learn the answers to such obscure questions. But, in the current age of oversharing on social networks it's entirely possible all your intimate details are out there somewhere.

Have you ever participated in the Internet meme of answering a series of questions about yourself and then passing the results on to a group of friends? Many have. The purpose of the exercise is to share more information and get to know people better, but the fallout is that those questionnaires often target the same sort of semi-obscure information that authentication questions ask for.

The real problem with authentication questions is that they can be guessed or breached the same way a password can. An attacker may not know who your favorite sports team is. But, given a few contextual clues from your social networking profiles, conducting a search of your tweets on Twitter, or simply trying different sports teams out until the right one is discovered, the attacker can probably get past the authentication questions.

Like a username, the authentication question might seem like it adds a layer of security--and to some extent that's true. But, usernames are easily guessed, and authentication questions are becoming increasingly trivial to bypass thanks to social networking. The password should be the toughest part of this equation, yet many people still use their cat's name or "123456" despite years of security experts drilling about choosing better passwords.

One solution that might help a little is to make up a fictitious answer. For example, maybe you went to high school Omaha, and everyone online knows you went to high school in Omaha. But, for the purposes of your authentication security question you could change the answer to "Metropolis" or "onion rings" and just keep that information to yourself.

Some sites and services let you create your own custom authentication questions. This can also be an opportunity to create something unique that nobody but you would know the answer to. The sillier you are with both the question and the answer, the less likely it is that an attacker could guess it.

To protect your data from viruses, phishing attacks, and other malware--whether its on your PC, smartphone, or tablet--you should have some sort of cross-device security tool in place. But, when it comes to preventing unauthorized access to information stored elsewhere, two-factor authentication provides better protection.

An attacker may be able to guess your username, Google the answers to your authentication questions, and crack your password. But, if access to your data also requires a unique PIN that can only be sent to the mobile phone you have registered with the account for that purpose it makes it much harder to get in.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Jeffers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts