Skip to content

Security questions and cheese-o 3+ "factor" authentication

I Hate You

James Ward points out that his MasterCard site is using a nifty system of selecting an image as a sort of shared token between him and MasterCard. If he doesn’t see the image he selected, he should immediately be suspicious that someone has hijacked his login and is doing a man-in-the-middle attack to capture his username and password. To his core point, technologically, it’s nifty and fun.

Also, as you can see in the screenshots, he has to at least 5 “security questions.” I haven’t had the pleasure of having to pick a shared token image, but, of late, I’ve had to setup a raft of security questions.

It’s driving me crazy.

Call me crotchety and naive when it comes to online security, but all I want is a username and password. More than that I start getting the pitch forks and village people. I really, really despise the canned list of “security questions” where you have to select 2-10 of them for your question/response. Writing your own is even worse.

Not only do I hate the extra time of entering and remembering this stuff, but it makes it difficult for my wife, Kim, to log in to our online banking account to pay bills, our phone account to check on services, or anything else. How’s she going to know the first name of my (non-existant) college roommate or the street number of the 5 different houses I “grew up in”? Now, ideally, the providers would provide multipule accounts…but, right, ho-ho, good one, tip your waiters and try the chicken…that’s going to happen for every single service out there.

The point is: most consumer applications out there are so sloppy that cleaning up one aspect of it (authentication) will break the sloppy-but-works workflow in the others. That’s the case with most technology, but it hits home in this case when Kim needs to pay that bill tonight and me with my extensive knowledge of my first pet, my favorite movie, and the first name of my closest childhood friend (I don’t even remember that!) is no where to be found. How we gonna pay that bill?

As I recall, there’s actually a law or regulation mandating using more than username and password to authenticate a user in the US. Maybe that’s folklore or a bad memory. Either way, I’m already dreaming of he days when all I needed was a username and password. Good times…

Update: John outlines the security question problem well, with screenshots from my bank.

Technorati Tags: , ,

Categories: Identity.

Comment Feed

7 Responses

  1. [on the new scheme that asks people to look for a specific image and, if it's not there, to become suspicious]: "to his core point, technologically, it’s nifty and fun."

    I'm not so sure it is. We have to remember that the vast majority (let's say "all" to the first approximation) of internet users are busy people for whom a log-on screen is an irritation. It's stopping them from doing the task they really want to do.

    I don't see how a security mechanism that relies on one spotting the *absence* of a step in a process is going to work: people just won't notice. Or if they do, will probably just think to themselves: "neat! They got rid of an annoying step. I can do my banking more quickly!"

  2. Notice you’re using the same bank as me – fun isn’t it? My wife has the same trouble as yours …

    I can’t wait until web identity is sorted a hell of a lot better than it is now.

  3. Richard: I agree, as the rest of the post hopefully shows. What I was meaning — and hoping to point out with the "technologically" prefix — was that it's a nifty idea from a purely code monkey context. Usable and nice for end-users, now that's whole 'nuter sotry.

  4. The 'law' you're thinking of is probably the FFIEC guidance on authentication for Internet banking. "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." The focus of the guidance is on risk assessment and management, not so much on user experience. There's probably scope for some usability studies as the different techniques (OTP token, scratchcard, image, secret question etc) have found deployment.….

  5. Thanks for looking that up a leaving the pointer, Mark. Awesome!

  6. Bank of America has been asking you to verify your "site key" plus a user chosen text phrase for almost 2-years now.

    You are presented with the user chosen image and phrase and then asked for the equivalent of a user chosen password. For me it's the best of a bad bunch.

    Sure, I'd like some form of 3rd party authentication that doesn't allow the server I'm connecting to to know anything about my authentication, but will allow me to connect when authenticated log me on.

    However, usually when I give this any real thought, I can think of 10-reasons why this isn't such a good idea. It needs a seed change in the way browsers are built in order to make me think we could pull this off.

  7. Good any ideas for those browser changes? 😉