Cross Identity

Official Blog

Are Security Questions Secure Enough?


We are living in a digital world, with each one of us aware about the importance of securing our digital identities.

There are enough guidelines – suggestions and tips from experts and often enough, just as we begin to think that we have done our best in securing our identities, we have reality checks as some of the finest businesses become the targets of security breaches or face serious damage.

According to this article by Fortune, a serious data breach called “Collection #1” caused the exposure of 1.16 billion e-mail addresses and passwords.

Such instances have led us to believe that it is better to add as many layers of security to the accesses and credentials as we can –a required step in the right direction.

Security questions – not as secure as you think.

Today, most organizations resort to using Multi-Factor Authentication, a stringent authentication technique that validates two or more independent credentials.

Validation techniques include soft token, biometrics, E-mail OPT, SMS OTP, etc. However, Challenge-response questions also known as security questions remain to be a technique that is often opted for, to authenticate identities.

For instance, when you create your account on a new service, you are asked questions like, ‘what is your maiden name’ or ‘what is the name of the street you grew up in’, etc. You respond to these questions and your account gets activated and when you forget your password and get locked out of your account, you will have to go back answer the security questions to authenticate your identity and get your access back.

Studies such as A Clark School study at the University of Maryland It is said that a data breach happens every 39 seconds! In other words, given how it is quite possible that by the time you enter your answer, your account may have been compromised.

Tips on making your security questions more secure.

There are two aspects to security questions – The questions and the responses. Ideally, both and not just either of them should be as secure as possible.

Security Questions

Typically, security questions are set up in three ways:

1.Admin-defined: The admin of your organization can define the questions.
2.User-selected: The service provider/admin has a ready set of questions and the users shall select the questions from the drop-box and answer them.
3.User-defined: The end-user may define the questions and have them configured.
According to Prasad Hiremath, Technical Lead, Cross Identity, it is always advisable to opt for Admin-defined and User-selected security questions as they are generally well-thought of, from security point of view. While user-defined questions, certainly give end-users the flexibility to define their questions, such users tend to define extremely simple questions that are easy to answer or remember. Popular ones include – ‘What is the name of my pet’ or ‘What is the name of my school’. Such questions are often redundant and unsecure.

Security Question | Cross Identity

Responses to security questions

On the other hand, even if you choose a slightly difficult question like ‘What is your frequent flier number’ but have a predictable answer like, ‘12345’ to go with it, the whole point of having a complex security question becomes void.

So, here is what you may do instead:

1.Make up your answer

You don’t have to be honest with your answers. In fact, your response can be special characters, random letters or numbers, etc. For instance, if you are responding to a simple question like ‘what is the name of your hometown’ you may use something like “187!Aj*” for your response. Such responses are hard to decode and improve your account’s security.

2.Choose Complex but easy-to-remember response

Initially, you may use a complex response, but it so happens that the next time you answer security questions, you tend to forget what response you’d originally given. A simple way out is to use a 4-letter passcode or 4-word passphrase – it is believed that a 4 or 6+ character is a lot more difficult to crack.

3.Do not share your answers

As Pramod Bhaskar, CTO, Cross Identity says, “The responses to security questions should be as personal as possible”. It is not advisable to share your answers with your friends or colleagues”.

4.Keep a check on your social media

Sometimes your response may be right out there – on your social media. If you choose to answer questions like ‘when did you get married’ or ‘what is the name of your previous employer’, such information can be easily accessed on your LinkedIn, Facebook and Instagram profiles. Therefore, make sure that the answers you choose for your security questions are not freely available elsewhere.

5.Abide by the response guidelines

Usually, response guidelines such as using atleast 8-characters, numbers, upper and lower cases are already configured. However, in case such guidelines are not specified, it is a good idea to stay updated and frame your response accordingly.

6.Do not duplicate your answers

This is a very common mistake that most people make; using the same answer for all questions – probably because they are too caught up to fill in different answers to multiple questions or because they have difficulty in remembering the response. Such tendencies become a hacker’s delight. So, make sure you do not give the same response to all the questions.

So, the next time you opt for security questions to secure and authenticate your identities via Multi-Factor Authentication, always make a conscious effort in taking small but vigilant steps in securing your security questions.

Leave a comment