Skip to main content
IAM vs. CIAM CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.

Please reset my mother's maiden name - the problem with security questions

By Jp Rowan | Posted on February 20, 2018

Alternatives to KBA security questions

What was your first pet's name?

What street did you grow up on?

What is your mother's maiden name?

What city were you born in?

Intended as a convenient and last-ditch workaround for forgotten credentials, security questions that rely on factual data have the unintended consequence of creating an additional attack vector. In addition to providing an additional attack vector if data is compromised, the question forms themselves present a potential hack method.

Despite the red flags raised by security experts (Krebs on Security has been banging this drum for almost a decade) and the National Institute of Standards and Technology removing KBA as a recommended authentication step, online services continue to make it part of their validation processes. For example, USPS expanded its use of knowledge-based authentication in its "Informed Delivery" service - where scanned images of inbound mail are sent to postal customers - in late 2017. The IRS will again be requiring KBA for account creation this year.

The massive breach of Yahoo in 2016 compromised the data of more than 500 million of its users (and maybe a good deal more than that). This breach impacted not only the email and hashed passwords of its users, but also their security questions and answers. The fundamental limitations of this basic approach to knowledge-based authentication - that the same questions are frequently used from service to service and that the answers to those questions for a specific individual do not change are realities brought to the forefront with a breach of this magnitude.

Although most consumers recognize the need to use unique passwords for each online accounts, many provide the same, factual responses to security questions. With each email address in the United States connected to 130 online accounts, on average, the risks associated with using the same responses to KBA security questions across multiple accounts are tremendous. Even if Company A maintains best practices by encrypting, hashing and securing the responses to KBA questions, there is a chance that Company B does not. In the instance of a breach of Company B, the data of Company A is at risk - unless additional security checks are in place.

A better route is to extend multi-factor authentication for users. Verifying user email or phone ensures that the user has access to their primary communication method - which should then be the default resent path for forgotten passwords. By deploying progressive registration - starting with a basic email & password combination and then gathering additional information as customers make repeat visits to your site or app - companies open up the opportunity to request a secondary communication channel for additional authentication.

Our technical white paper, “Security and Usability: How New Authentication Methods Eliminate Old Trade-Offs,” explores the history of security and usability trade-offs and discusses the technologies that are helping companies finally close the gap between security and usability.

Popular Posts

About the author

Jp Rowan

Jp Rowan

Associate Technical Consultant

Jp comes to Janrian with a decade of experience transitioning businesses into the digital technology space.  With a focus on inventory management, e-commerce, and web media he is no stranger to the challenges that face a business during a digital transformation.  Since 2015 Jp has been consulting with Janrain’s enterprise customer base as they transition into the CIAM solution space.  His expertise blends his pass experience of digital transformation with his extended knowledge of the identity marketplace.

View all posts by Jp Rowan