We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,713 News Articles

Do Authenticaton Questions Really Protect You?

With so much information shared online, authentication questions can be trivial for attackers to bypass.

What is your mother's maiden name? It seems like that question has been used as secondary authentication to verify identity since the dawn of time. Over time, the authentication questions have become much more diverse. Sites now ask for things like what city you went to high school in, or who was your favorite teacher, or what was your first car.

The problem with most authentication questions, though, is that the information can often be found with a simple Google search or two. Ten years ago, or even five years ago it might have been much harder to learn the answers to such obscure questions. But, in the current age of oversharing on social networks it's entirely possible all your intimate details are out there somewhere.

Have you ever participated in the Internet meme of answering a series of questions about yourself and then passing the results on to a group of friends? Many have. The purpose of the exercise is to share more information and get to know people better, but the fallout is that those questionnaires often target the same sort of semi-obscure information that authentication questions ask for.

The real problem with authentication questions is that they can be guessed or breached the same way a password can. An attacker may not know who your favorite sports team is. But, given a few contextual clues from your social networking profiles, conducting a search of your tweets on Twitter, or simply trying different sports teams out until the right one is discovered, the attacker can probably get past the authentication questions.

Like a username, the authentication question might seem like it adds a layer of security--and to some extent that's true. But, usernames are easily guessed, and authentication questions are becoming increasingly trivial to bypass thanks to social networking. The password should be the toughest part of this equation, yet many people still use their cat's name or "123456" despite years of security experts drilling about choosing better passwords.

One solution that might help a little is to make up a fictitious answer. For example, maybe you went to high school Omaha, and everyone online knows you went to high school in Omaha. But, for the purposes of your authentication security question you could change the answer to "Metropolis" or "onion rings" and just keep that information to yourself.

Some sites and services let you create your own custom authentication questions. This can also be an opportunity to create something unique that nobody but you would know the answer to. The sillier you are with both the question and the answer, the less likely it is that an attacker could guess it.

To protect your data from viruses, phishing attacks, and other malware--whether its on your PC, smartphone, or tablet--you should have some sort of cross-device security tool in place. But, when it comes to preventing unauthorized access to information stored elsewhere, two-factor authentication provides better protection.

An attacker may be able to guess your username, Google the answers to your authentication questions, and crack your password. But, if access to your data also requires a unique PIN that can only be sent to the mobile phone you have registered with the account for that purpose it makes it much harder to get in.


IDG UK Sites

Android One vs Android Silver vs Google Nexus: What is the difference?

IDG UK Sites

Apple updates MacBook Pro line-up: Price cuts & spec boosts for 6 MacBook Pro models

IDG UK Sites

Long live the internet fridge: the Internet of Things is coming

IDG UK Sites

How Prometheus' colourist Juan Ignacio Cabrera gave a tense, edgy feel to Chosen