Security Question Systems Done Properly
Security questions often appear when signing up for a service on the Internet, during account creation, to add another layer of verification in case a user forgets their login credentials. In order to implement a security question system for password resets, you should ensure you take the necessary steps to make the system work securely.
Others have argued that the basic questions, such as "What is your favorite color?", do not pose enough security and are easy to guess. While security questions may not address all scenarios, they work great for things such as password resets.
When you have developed a proper security question system for your service, they are not a real security risk. As a matter of fact, the usage of such easy questions ensures the user can recall their answer easily. So how do you ensure that your software or service is secure, even with such a seemingly insecure system? Let's have a look.
- When a user provides the correct answer to the question, you then email them a notice that they have chosen to reset their password, sent to the email address on file for that user.
- In the notice email, you provide a link to reset the password.
That's it! Now, look at the level of security we've added to this scenario. Even if a harmful user guesses another users security answer, they will not actually get access to the account, as they cannot receive the email you had on file for the particular user. By emailing them a link to reset their password, the user doesn't have to reset the password if they weren't the individual that initiated the reset.
Please make sure, if you are a beginner with security and you are coding a service that implements such constructs, that you try very hard to implement things properly. I think this goes without saying, but says a lot.
Questions should remain relatively easy. This will ensure a user will have no problem recalling the answer. Remember, this does not pose a risk. “What is your first name?” is a secure security question if you implement your security question system appropriately. You can provide a set of questions for your service or even allow them to type in the question and answer. Either way, a system designed this way will not require you or the end user to try to come up with a "more secure security question".
Some existing services include a security question when a user is logging in. This is not recommended as the nature of security questions don't work well here. They really only work for password resets. The ease of guessing security questions makes this additional field a nuisance, as it provides no real security on top of the username and password.
So, that is about all you need to successfully implement the flow of proper security question/answer systems for password resets. All services should implement this method or a more enhanced version.
Password Tote software will help users securely store their service credentials and more. It even has the ability to store security questions and answers.
Article Date: May 21, 2009
If you have any questions or comments, please contact us.