In creating an account at Healthcare.gov, users are asked to select three security questions and provide answers to them. I assume these are used in cases that users forget their username or password.
While challenge questions can help add security, they should be something that only the authorized person can answer. How do these questions from Healthcare.gov look?
These look like questions that are likely to be known by one's friends and family. Many of these are likely posted somewhere on the Facebook profile of many Americans. How can these be secure?
@brintish @QualityFrog If you have to have security questions, the best sniff test is "Can my ex answer this?" If so, it's a bad question.
— Katie Cunningham (@kcunning) October 13, 2013
And, if this wasn't bad enough, the insurance application process requires a security question and answer that third parties can use to access your information. For third party access to your account, you have to select one of only 4 options -- options that are likely to be known by friends and family, and your ex.
To me, these questions demonstrate a lack of respect for the American people. Anyone building a software system like the new Healthcare Insurance Marketplace should know better.
6 Comments:
October 15, 2013 at 12:36 PM-
Comment ID:
6950933087359460525
-
-
October 21, 2013 at 5:46 PM
-
Comment ID:
7696568393008998374
-
-
October 30, 2013 at 9:49 AM
-
Comment ID:
6925673111489011061
-
-
October 30, 2013 at 10:25 AM
-
Comment ID:
1142132231844517070
-
-
November 1, 2013 at 3:30 AM
-
Comment ID:
148420854813168888
-
-
November 13, 2014 at 8:01 PM
-
Comment ID:
28677717051082081
-
-
Written by: Robert Martin
I think there is a delicate balance here in providing security questions that the user can easily remember the answers to and providing security questions that are, in fact, secure. If the security question is too obscure, it is detrimental to the user experience, even if it keeps the stuff secure.
Perhaps a blend of a security question and some other means (like e-mail recovery without exposing the e-mail address and then an embedded, timed link... without having the link timeout before the e-mail is received) is the best way because I'm not convinced, really, security questions alone do any good.
Written by: Anonymous
There's no requirement that the answers to your security questions be factual.
Question: Where were you born?
Answer: On the side of the road.
Written by: Unknown
Anyone who answers factually is asking for trouble. These questions are better than most in the industry.
As the previous comment points out users should always have standard fake answers. How many years ago did a former Alaskan Governor have her email hacked since she answered correctly when asked where she went to high school.
My bank still asks for my mothers maiden name.
Written by: Ben Simo
In testimony before a congressional committee this morning, HHS Secretary Sebelius referred to these questions as "personalized questions that can only be verified by you". They aren't.
And yes, we should not answer these questions truthfully. However, I suspect that most people aren't thinking that they need to answer these with something other than the truth. And by asking these specific questions, Healthcare.gov (and others) is setting people up to have their accounts compromised.
Written by: Anonymous
The problem with those security questions is that you need to have answers to them that YOU can remember and someone else can not. If you give true answers to any of the example questions, someone else would know the answer or look it up.
If you give untrue answers, as you should, then YOU cannot remember an answer on some site after many months (unless you administer what you answered, but who does that (and it is as worse as writing down your passwords)).
So this whole system of automated security questions and answers is flawed anyway.
If I forgot my password, how should I know the answer to a security question, I needed to madeup anyway, long ago (assuming I do not need to use this often, as I usually do remember my password),
Written by: Anonymous
I cant remember my security answers and therefore cannot get a new password reset .....so Im not able to buy health insurance as I cant sign in
Post a Comment