Sunday, November 16, 2008

Challenge Questions --- CHALLENGED!

I am sure you have all experienced recently a new phenomenon where you are regularly being asked to pick challenge questions as part of a new or existing username/password login. In and of itself, this isn't completely useless albeit insulting when the site claims that this is dual factor authentication which it is not.
Having a little bit of experience in this area from my Passmark Security days, it is simply amazing to me how inept most companies are at choosing what challenge questions to offer.
What is your favorite __________________?
Are they kidding?
In 12-36 months from now when the site needs to ask me one of my challenge questions, how likely do you think my favorite ___________ is still going to be the same?
The other thing which will usually render the whole purpose of these questions moot is the need to make an absolute match. Let me see, was that "School #25" or "School25" or "School#25" that I answered to the question about what grammer school I attended?

No comments: