Two-factor authentication: are security questions effective?

You enable two-factor authentication when logging in, or you forgot your password and want to reset it. You enter your information and a security question appears on the screen: your mother’s maiden name, favorite color or date of birth. The answer is to confirm your identity. It’s easy to remember, but are you actually the only one who knows it? Find out why a method that by design is supposed to serve a protective function can actually be dangerous.

Required two-factor authentication vs. online security

After you enter the correct login and password, the site requires you to enter a “second ingredient” – a code, answer a question or authorize it on the mobile app. Such a procedure, although it takes longer than a traditional login, is supposed to better protect your privacy. Even if a cybercriminal somehow obtains the access credentials of a potential victim’s account, there is a high probability of being stopped just at the second stage.

The most popular two-factor authentication methods are:

  • a one-time access code sent by email or SMS,
  • U2F security key,
  • biometric identification,
  • timecode in the application,
  • voice call,
  • security question.

Security questions - effectiveness

Security questions are one of the oldest forms of authentication. Despite many modern solutions, they continue to enjoy enduring popularity. Their usefulness stems from the assumption that the account owner is the only person who knows the correct answer. And while they are not a particularly effective solution on their own, when combined with other security features they are. For this reason, they are most often only part of the verification process, such as preceding the generation of a code in a mobile app or sending an email with a link to reset the password.

Read also: How to create a secure password and not forget it? 6 effective methods you need to know

Why are security questions not always secure?

The problem with realizing the potential of this authentication method stems from the quality of the questions and answers. Users often exhibit a dismissive approach to security. They hurriedly choose ready-made suggestions given to them by a website. As a result, their answer is fairly obvious, easy to guess or widely available on social media.

Examples of (un)secure questions:

  1. When is your birthday? – it’s easy to find this information on social media
  2. What is your favorite color? – a small number of possible answers
  3. What is your phone number? – friends and family know it
  4. What is the title of your favorite movie? – the answer may change over time
  5. What is your favorite food?

*Google statistics show that one in five people, when asked what their favorite dish is, answer “pizza”.

Security question - good practices

On the other hand, no technology can guarantee complete, reliable protection. On the other hand, any additional security reduces the risk of becoming a victim of a cybercriminal. For a check question during two-step verification to fulfill this role, it must not be templated. Instead of using the site’s prompts, build your own unique protective barrier. How to do it.                  

Think of the security question as your biggest secret – a secret you’ve never told anyone and don’t intend to. The confidentiality of the fact that identifies you plays a key role here. In addition, consider criteria such as consistency, detail and multiplicity of correct answers.

Ideas for effective security questions:

  1. What was the name of your first childhood partner/friend?
  2. What did your siblings call you when you were a child?
  3. What is the name of the university to which you applied but did not get in?
  4. What is the maiden name of your grandmother?
  5. What was the name of the boy who stole your first kiss?

Security questions - FAQ

Learn the answers to the most frequently asked questions!

What is two-factor authentication?

Two-Factor Authentication (2FA) is the process of verifying a user’s identity when logging in to protect an account from unauthorized access It requires at least two components, something you know (a password) and something you have (such as a phone).

What is a security question?

A security question is the second component of two-step verification (authentication). It identifies you and protects your account from unauthorized access by third parties, including phishing attacks.

Is two-step verification secure?

Two-factor verification is an additional form of account or system security against hacking attacks. It is characterized by high efficiency – it significantly reduces the risk of becoming a victim of a hacker attack.

error: Content is protected !!