security questions

[piers.bowness at rsa.com]

John Ioannidis wrote:
| Does anyone know how this "security questions" disease started, and
why 
| it is spreading the way it is?  If your company does this, can you
find 
| the people responsible and ask them what they were thinking?

The answer is "Help Desk Call Avoidance"; allow the end-user to fix
their own account without having to get someone on the phone. This is
simply an available mechanism in the spectrum between easy-to-use and
rock-solid security.

| My theory is that no actual security people have ever been involved,
and 
| that it's just another one of those stupid design practices that are 
| perpetuated because "nobody has ever complained" or "that's what 
| everybody is doing".

Your theory is incorrect. There is considerable analysis on what
constitute good security questions based on the anticipated entropy of
the responses. This is why, for example, no good security question has a
yes/no answer (i.e., 1-bit). Aren't security questions just an
automation of what happens once you get a customer service
representative on the phone? In some regards they may be more secure as
they're less subject to social manipulation (i.e., if I mention a few
possible answers to a customer support person, I can probably get them
to confirm an answer for me).

-Piers
--
Piers Bowness
RSA - The Security Division of EMC


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com