Comments on: Asking smarter security questions http://futurity.org/science-technology/asking-smarter-security-questions/ Research news from leading universities Sat, 13 Mar 2010 13:24:52 -0400 http://wordpress.org/?v=2.8.4 hourly 1 By: Josh http://futurity.org/science-technology/asking-smarter-security-questions/comment-page-1/#comment-2171 Josh Fri, 20 Nov 2009 20:31:18 +0000 http://futurity.org/?p=5775#comment-2171 Security questions ultimately come down to the same cryptic trivia that passwords revolve around - you need a shared piece of information that both the host and client know that is difficult for third parties to decipher. Generally security questions are weaker than actual passwords however, so are coupled with other behavior to provide comparable security (i.e. they don't grant access or show the password, but rather send out a temporary new password to the known email address of the user). In terms of casual authentication on the web (things like ecommerce sites and such where the worst risk you have is your credit card number being misappropriated - a risk that credit card issuers generally transfer to themselves) I think it would be much more productive to look for stronger forms of complementary behavior for the security questions (something better than sending to an email address) rather than stronger security questions themselves. For sites where the risk is greater to either the client or host a stronger form of authentication is appropriate - something surpassing username and password, and certainly surpassing security questions. In terms of specific benefits of this line of research I really wonder about the utility. Both the client and host need to be aware of the client's behavior, which could raise privacy concerns in certain scenarios. Additionally, the host needs to be able to monitor the behavior, which means that either it is a behavior the host offers as a service, or it is a behavior the host would normally not be able to monitor but are granted visibility into (which pretty much violates principles of both least priviledge and default deny). In the case of behaviors the host already has access to, it would need to be recent enough behavior that the client can recall the information as well - which would imply that they have accessed the service recently enough that they probably haven't forgotten their initial credentials. Scenarios where people forget their credentials are typically scenarios where they use the service the host provides infrequently - in this scenario, would they remember the activity the host is using to base the questions on? Security questions ultimately come down to the same cryptic trivia that passwords revolve around – you need a shared piece of information that both the host and client know that is difficult for third parties to decipher. Generally security questions are weaker than actual passwords however, so are coupled with other behavior to provide comparable security (i.e. they don’t grant access or show the password, but rather send out a temporary new password to the known email address of the user). In terms of casual authentication on the web (things like ecommerce sites and such where the worst risk you have is your credit card number being misappropriated – a risk that credit card issuers generally transfer to themselves) I think it would be much more productive to look for stronger forms of complementary behavior for the security questions (something better than sending to an email address) rather than stronger security questions themselves. For sites where the risk is greater to either the client or host a stronger form of authentication is appropriate – something surpassing username and password, and certainly surpassing security questions.

In terms of specific benefits of this line of research I really wonder about the utility. Both the client and host need to be aware of the client’s behavior, which could raise privacy concerns in certain scenarios. Additionally, the host needs to be able to monitor the behavior, which means that either it is a behavior the host offers as a service, or it is a behavior the host would normally not be able to monitor but are granted visibility into (which pretty much violates principles of both least priviledge and default deny). In the case of behaviors the host already has access to, it would need to be recent enough behavior that the client can recall the information as well – which would imply that they have accessed the service recently enough that they probably haven’t forgotten their initial credentials. Scenarios where people forget their credentials are typically scenarios where they use the service the host provides infrequently – in this scenario, would they remember the activity the host is using to base the questions on?

]]> By: Mortgage News http://futurity.org/science-technology/asking-smarter-security-questions/comment-page-1/#comment-2013 Mortgage News Wed, 18 Nov 2009 04:48:34 +0000 http://futurity.org/?p=5775#comment-2013 Internet security is so important now due to all the things we use our pcs for nowadays. I find myself not having to worry about stamps anymore because I pay everything online now. Internet security is so important now due to all the things we use our pcs for nowadays. I find myself not having to worry about stamps anymore because I pay everything online now.

]]>