While challenge questions can help add security, they should be something that only the authorized person can answer. How do these questions from Healthcare.gov look?
These look like questions that are likely to be known by one's friends and family. Many of these are likely posted somewhere on the Facebook profile of many Americans. How can these be secure?
@brintish @QualityFrog If you have to have security questions, the best sniff test is "Can my ex answer this?" If so, it's a bad question.
— Katie Cunningham (@kcunning) October 13, 2013
And, if this wasn't bad enough, the insurance application process requires a security question and answer that third parties can use to access your information. For third party access to your account, you have to select one of only 4 options -- options that are likely to be known by friends and family, and your ex.
To me, these questions demonstrate a lack of respect for the American people. Anyone building a software system like the new Healthcare Insurance Marketplace should know better.
I think there is a delicate balance here in providing security questions that the user can easily remember the answers to and providing security questions that are, in fact, secure. If the security question is too obscure, it is detrimental to the user experience, even if it keeps the stuff secure.
ReplyDeletePerhaps a blend of a security question and some other means (like e-mail recovery without exposing the e-mail address and then an embedded, timed link... without having the link timeout before the e-mail is received) is the best way because I'm not convinced, really, security questions alone do any good.
There's no requirement that the answers to your security questions be factual.
ReplyDeleteQuestion: Where were you born?
Answer: On the side of the road.
Anyone who answers factually is asking for trouble. These questions are better than most in the industry.
ReplyDeleteAs the previous comment points out users should always have standard fake answers. How many years ago did a former Alaskan Governor have her email hacked since she answered correctly when asked where she went to high school.
My bank still asks for my mothers maiden name.
In testimony before a congressional committee this morning, HHS Secretary Sebelius referred to these questions as "personalized questions that can only be verified by you". They aren't.
ReplyDeleteAnd yes, we should not answer these questions truthfully. However, I suspect that most people aren't thinking that they need to answer these with something other than the truth. And by asking these specific questions, Healthcare.gov (and others) is setting people up to have their accounts compromised.
The problem with those security questions is that you need to have answers to them that YOU can remember and someone else can not. If you give true answers to any of the example questions, someone else would know the answer or look it up.
ReplyDeleteIf you give untrue answers, as you should, then YOU cannot remember an answer on some site after many months (unless you administer what you answered, but who does that (and it is as worse as writing down your passwords)).
So this whole system of automated security questions and answers is flawed anyway.
If I forgot my password, how should I know the answer to a security question, I needed to madeup anyway, long ago (assuming I do not need to use this often, as I usually do remember my password),
I cant remember my security answers and therefore cannot get a new password reset .....so Im not able to buy health insurance as I cant sign in
ReplyDelete