Monday, February 25, 2008

Ponderings on "multi factor authentication" sillyness...

It seems like a disturbing trend:
Banks adding "more security" by adding extra "security questions"...

In short, the alleged idea is make your account more secure then just using your password (which is normally only known by you) by asking "personal trivia questions" related to high school mascots, car brands, maiden names,...

Whats wrong with that?


  • It's insecure by design. Most of this information is public! A potential attacker can guess or google this information. Different sites are also using the same questions.

  • It's extremely error-prone. What was that pet's name again?

  • It adds no extra phishing protection. A fake site can just as easily ask these questions together with your password.

  • Better solutions such as openid are publicly available, and allow the user to choose the level of security they prefer. Which can range from basic user-name password logins, over https client certificates to secure one-time key token-devices.


This (fairly cynical) post explains what I have been trying to get across way better that I did.

What to do when your bank forces you into this "Mickey mouse" scheme?
- Come up with a secondary password (preferable 2 "words")
- Fill it in as the "answer" to each question

This way, you are at least not decreasing the level of security provided.