Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Any form of security questions is even weaker than passwords - and attacks against passwords work the same or better against security questions.
Additionally some questions are not even legal ("mother's maiden name") and they are absolutely inconvenient if a secure answer (e.g. not trivially possible to lookup for the most people) is wanted. Also some answers may change ("favourite animal/colour").
Why would anyone want them!? -
@PublicByte You know about password managers, don't you?
Anyway, "secondary" passwords are bad:
1. People (on average) are bad at choosing passwords - they will do for secondary (or tertiary or ...) as well.
2. The idea of two factor authentication is to not allow the same attacks against the factors.
Example: For a bank transaction I have to submit a password and a transaction code that is only valid once for this specific transaction generated on an independent device.
Even if the attacker knows my password with any attack (guessing, phishing, depending how the transaction code is generated even malware on the device) the attacker can't do anything with it. -
@NoToJavaScript
Questions are still valid for password reset, but only when hooked to services like westlaw's identity cube and only if there's regulation requiring it. -
@sbiewald well... #neuland
Working with external teams on this new project involving pretty sensitive stuff like bank transactions.
Talking about user flow and how to handle authentication, like 2-factor and stuff.
Newish guy on external team (though experienced) says they have a proposal.
Security Questions.
... like "What was you first car" security questions...
awkward silence in room...
rant
fintech security authentiation