When to Assign Users Responsibility for Security

First, I wanted to mention that the Security PS blog is now one year old. We thank those of you who have scrutinized and shared our content in an effort to increase awareness of information security issues. We also encourage you to continue submitting your questions or blog entry ideas with us via the comments section or email. With your feedback we can continue to provide expert coverage of the security issues that are important to you.

Second, I want to share my concerns about a security practice that has been bothering me for some time. Almost every application or network consists of users with vastly different levels of security awareness and skill. For every company that has a user like me (my bio claims I'm pretty security savvy) they have hundreds of users that are less aware of the security threats they face. So why is it in some cases those same users are required to make important security decisions?

In this case I'm referring to the growing trend of asking users to set their own custom security questions and answers. These are the questions and answers commonly used to provide a fallback option for authenticating when a password is forgotten; or used to further validate an identity when a username and password are deemed insufficiently secure. We are seeing this built into more online financial applications in an attempt to meet the FFIEC's new authentication requirements.

My main concern is that the user can customize the questions, not necessarily that the questions and answers are used for authentication. In these situations the answers to the questions act as a substitute for, or an equivalent to, a password. Logically, they must be held to the same standards of security that passwords are. They must not be easily guessed or predicted. They must collectively ensure that only the authorized individual can provide the correct answers.

Yet this is not the main issue of concern for most users when selecting these questions and answers. They are focused on choosing a question and answer that they can easily remember. This is also important, but it cannot take priority over the confidentiality of the information.

When a user sets up a question like "what is my favorite color" -- and they do -- they have not only limited themselves to a fairly small selection of answers, but they have also chosen to prompt for a piece of information that is not considered a secret. They are likely to share the information if asked by a family member, friend, or possibly even a casual acquaintance.

How can this be considered the security equivalent of a password?

Sadly, this has been a known issue for some time. Organizations first started experiencing similar problems when they allowed users to create customized password hints. Nothing stopped users from making their hints blatantly obvious (such as "a day of the week") or even putting their password directly in this field.

Professionals cannot in good conscience allow these decisions to be delegated to the users. Claims about it being the user's responsibility to make good choices, at least in this area, simply don't make sense in today's hostile Internet environment. If you see it fit to enforce minimum password standards you must also commit to enforcing minimum question and answer standards.

The simple solution is allowing the user to select from a library of predefined questions instead of creating their own. You should select these questions with the uniqueness and confidentiality of the answers in mind. Here are some of the better examples:

- Who is your favorite character in a book?
- Who was your favorite teacher?
- What was the name of your first crush?

Want more feedback on securely implementing question and answer based authentication? Send me an email and I’ll be happy to share my thoughts.