Authentication questions alone no longer safe

Authentication questions alone no longer safe

Summary: The answers to questions meant to verify one's identity can now be found online using search engines or social networks, which means this measure should be augmented with other authentication tools.


Questions used by service providers to authenticate users' identities can no longer be the only means of verification given that the answers can be easily found using search engines, social networking sites, or through spear phishing attacks. It should, instead, be part of a multi-level authentication strategy, observers say.

Joseph Steinberg, CEO of Green Armor Solutions, said today's climate of easy Internet access through mobile devices and the growing number of digital natives posting up personal information online, authentication questions for network and Web site access are no longer safe.

This is because information once deemed confidential, such as one's identity or social security number and a person's mother's maiden name, can now be found by simply doing a search on Google, Steinberg explained.

Social media platforms are also good hunting ground for cybercriminals looking to find users' personal details, he pointed out. For instance, LinkedIn is a good resource for those looking for answers to questions on a person's first job, the university they studied in, and even the city the university was based in. Facebook or Pinterest, on the other hand, could provide answers to a person's mother's maiden name, the city he grew up in, or his personal interests, he said.

Ronnie Ng, director of systems engineering at Symantec Singapore, added that cybercriminals who have conducted spear phishing attacks to get a user's password, they would likely possess the information to crack simple authentication questions, too.

Knowledge-based questions not safe either
There are stronger types of authentication questions, or "knowledge-based questions", which cannot be answered by an educated guess after trawling for information online, Steinberg noted.

These questions are usually non-public information such as how much is a person's monthly mortgage payment, or the name of the bank used to make the payment every month, or the street the user lived on many years ago, he stated.

Chris Brennan, CEO of NetAuthority, said knowledge-based authentication can be too complicated, however, which then undermines user experience and consumer satisfaction. The answers for such questions could be too obscure, so users are unlikely to remember them, he said.

Marketing executive Olivia Chu agreed with Brennan's assessment. She recounted that when her bank asks her when her last transaction was made, she tends to not remember. "I have to think really hard, and it's really annoying even though it's for the safety of my account," she said.

These knowledge-based authentication questions are not invulnerable to being cracked either, warned Steinberg. For instance, some mortgage records are available publicly, and persistent hackers can derive the right answer based on the information they have gathered, he noted.

To strengthen security, Symantec's Ng called on service providers to devise a multi-level authentication to secure their networks and sites and protect their customers.

Device-based authentication, in tandem with knowledge-based questions, will make security that much tighter. For identity verification, a series of questions should be asked, he added.

That said, such strategies should be developed with users' convenience in mind too, the director urged. This is so that people are not too put off by the additional security layers and longer time taken to authenticate themselves.

Users also have a role to play in that they should create questions with unique answers that only they would know, and ensure this information is not compromised or shared on public platforms, Ng stated.

Topics: Security, Privacy, Symantec

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • There's no law that says...

    There's no law that says you have to enter your mother's real maiden name when setting these things up. You can say your mother's maiden name is LifeOnMars. The computer doesn't know the difference, and you're safer.
    none none
  • They never were.

    "Authentication questions alone no longer safe"

    They never were. In fact, they were always a horrible idea. Recover a complex password with a mechanism that far easier to crack? What bonehead decided that was a good idea at all?

    They were always a bad idea. They have always been easier to crack than passwords. I never liked them.

    Frankly, I'd recommend lying to those questions. Make stuff up. If you're concerned about forgetting, write the answers down. But don't actually put in the real answers to those questions.

    It doesn't matter whether the answers are actually correct, it only matters that they match when you want to recover your password.
    • Correct as usual....

      It took "experts" HOW LONG for this obvious thought to dawn on them????
      expert - ex is a "has been", and a spurt is a drip under pressure.
  • "Authentication questions alone no longer safe"

    Both CobraA1 and none none are quite correct and I for one never write down passwords or this sort of check, though I suppose they are very compromisible, as you can only rememember a small mu,ber of such passwords.

    What you know (WYK) used alone for authentication is obsolete - gone - finished BUT without any interest by politicians in creating a better regime for authentication by regulation NOTHING will change!

    Even when you shop at your favourite supermarket - the old addage of using 2 mechanisms for authentication by use of your ATM card for EFTPOS with a password WAS in line with the best security thinking (you have to have your card + you have to know your PIN and you enter both in a high-trust, verified entry unit - the connected "PINPad" - not by leaning over the checkcout operator and using the cash register!)

    BUT - without any concern by politicians and governments we now have the what you possess (WYP) authentication technique alone - yes - that "fast wireless" based technique now becoming offered for transactions under some amount ($30, $100 ??). and we have credit card transactions authorised by "what you know (WYK)" just entered into an untrustworthy PC / mobile phone / tablet, etc.

    Remember the IBM PS/2 PC? The keyboard in Europe had a "chip card" reader/writer incorporated into it! Didn't last long! No forceful legislation requiring its use, etc.

    So - overall - interest by governments in protecting their citizens and businesses by strengthening security has actually DECREASED at a very time of increased threats and exposure of vulnerabilities.

    Yes - the use of 2 factors has been long accepted as a MINIMUM for any form of authentication - and even use of "what-you-are (WYA)" has been around in some cases (fingerprints, retinal patterns, etc.)

    BUT remember!

    Just like seat belts in cars, etc industry and commerce have NEVER been known to embrace higher security levels without associated regulatory environments! AND that is the role of government - it has a fundamental role to protect and safeguard its citizens particularly where interactions are one-sided (the ordinary user has no idea about how the EFTPOS system really works, etc.)

    The situation is unbalanced and it is the role of government to get that balance back. Commerce and industry has no real interest in that today - just take the risk and mop up later! (No continuous monitoring of consumer transactions at teh banks' back end is just NOT sufficient - just cheaper!)
  • Better regime for authentication by politicians?

    What the heck does Government have to do with how anyone determines minimum password requirements and altername authentication methods? If they had anything to do with it we would still be using DOS machines and usenet would be the closest we had to the internet. The government, and the law, are so far behind what is currently happening that anything they proposed we have probably already surpassed.
    Yes, just what we need, rules based on incompetence on how we do business.