Security Questions Are a Bad Idea, and Here’s Why!

http://www.geekyharsha.in/2015/05/security-questions-are-bad-idea-and.html#


Ever since we had passwords and accounts there have always been hackers trying to get their hands on them. More importantly, people have also been forgetting their passwords. To recover them, the account provider often implements a series of questions that you provide your “secret answers” to. This system has worked fine for many years, but it is riddled with ways to make hackers’ jobs easier. Although the answers are secret, ,,,kk per se, it appears that you’re actually sacrificing your security in the hopes that one day this sacrifice will help you recover your password.

What Makes Security Questions Horrible At Security


What Should Replace These Questions?
In addition to the security problems that questions introduce, they just add to the confusion for those who cannot recall the city they were born in or the names of their first pet (it does happen). People who know you well can also easily access your accounts with this method. Hopefully, we’ve come to the conclusion by now that something needs to replace the “secret answer” method. Fortunately, there are many good contenders for replacements, one of the best being two-factor authentication.

The “secret answer” method was invented before people commonly had cell phones that could open SMS messages. At this point in history, virtually everyone with access to the Internet has a cell phone. Out of 7 billion people, there are roughly 6.8 billion phones. Google has adopted a new method for authentication that involves sending a one-time password through SMS for recovery. For those without phones, they could use a backup email either of a trusted person or one that they use themselves for recovery. This method makes it very difficult to “guess” one’s way into an account without the user’s phone.

By using two-factor authentication, you solve two things at the same time:
  •     You minimize the risk of a person not remembering their “answer” since the unique SMS code is handed to the user upon request, and
  •     You make a recovery method that is nearly unbreakable since the hacker would need to have access to a physical object that the user owns.