3

Working with external teams on this new project involving pretty sensitive stuff like bank transactions.

Talking about user flow and how to handle authentication, like 2-factor and stuff.

Newish guy on external team (though experienced) says they have a proposal.

Security Questions.

... like "What was you first car" security questions...

awkward silence in room...

Comments
  • 0
    Any form of security questions is even weaker than passwords - and attacks against passwords work the same or better against security questions.
    Additionally some questions are not even legal ("mother's maiden name") and they are absolutely inconvenient if a secure answer (e.g. not trivially possible to lookup for the most people) is wanted. Also some answers may change ("favourite animal/colour").

    Why would anyone want them!?
  • 0
    @PublicByte You know about password managers, don't you?
    Anyway, "secondary" passwords are bad:
    1. People (on average) are bad at choosing passwords - they will do for secondary (or tertiary or ...) as well.
    2. The idea of two factor authentication is to not allow the same attacks against the factors.

    Example: For a bank transaction I have to submit a password and a transaction code that is only valid once for this specific transaction generated on an independent device.
    Even if the attacker knows my password with any attack (guessing, phishing, depending how the transaction code is generated even malware on the device) the attacker can't do anything with it.
  • 3
    security questions are obsolete.

    Force everyone to 2FA.

    Don't you guys have phones ?

    (Ok, I know where the door is)
  • 0
    @NoToJavaScript
    Questions are still valid for password reset, but only when hooked to services like westlaw's identity cube and only if there's regulation requiring it.
  • 0
    @PublicByte Both are bad. Security questions don't provide a good any good security but secondary password won't either.
    Alternatively we could just enforce longer passwords, it would have the same effect but they are more convenient.
  • 0
    I switched completely to passwords I can't remember at all using a manager. 30 characters, upper and lower case, alphanumeric, symbols... And then there is my bank... Slowing no special characters and it can't be longer then 8...
  • 0
    @manolito
    Some German banks only allow 8 digit numeric passwords...
    Luckily two factor authentication is mandated by law.
  • 1
    @sbiewald well... #neuland
Add Comment