Silly 2FA "Security" questions

  • 26 December 2019
  • 3 replies
  • 131 views

Badge +3

So I’m trying to set up 2FA for my Webroot console login. I plan on using an authenticator app, but I haven’t gotten far enough to actually make that happen because I can’t get that far in the process.

I would like to know if I’m the only one who finds the “Security Question” portion of setting up 2FA on Webroot to be foolish and insecure.

The problem is that before I can get to setting up my authenticator with Webroot, I have to choose answers to two “Security Questions”. Nothing new about security questions, right? You choose a question from those provided and put in your answer (usually something unique to the user’s life history). It’s a good way to avoid stolen passwords from allowing access to an account. It’s not foolproof - some bad actor could possibly know a user well enough to guess the answers - but it’s a fairly secure second-string method of verifying the users identity in the case of something like a lost password or other sensitive operation.

However, Webroot’s execution of this common everyday exercise renders it completely useless and unusable!

The first set of possible questions is fine - there are questions that have factual answers. For example, “What is your oldest sibling's middle name?”. The answer to that question is always going to be the same, not open to interpretation or opinion, and unlikely to remembered incorrectly. It is essentially immutable.

The problem comes in with the second set of possible questions!

They are almost all opinion-based, and opinions change over time. Those that aren’t opinions are questions that may or MAY NOT apply to every person. The choices are:

What was your favourite childhood food?
Who was your childhood hero?
If you had to choose a new first name what would it be?
What was the name of your first stuffed animal toy?
What was the first album or song you purchased?

Now let’s remember that THE WHOLE POINT of the security questions is that it be something that the user can answer off the top of their head, so even if something like a password is forgotten or mistyped, the user can ALWAYS be identified because they can ALWAYS readily give the CORRECT answer because it is based on their own personal knowledge.

So the first three questions are opinions - childhood opinions! - that assume that the user has already actually made a singular choice on a completely subjective topic. Who was my childhood hero? There were lots of them! Einstein, Ghandi, MLK, Spiderman - so how do I answer this question???

As for the other two - what if I didn’t have a stuffed animal toy? (I did, and it didn’t have a name). And I don’t happen to be a music lover, and I didn’t have money to spend on buying songs or albums when I was a kid. Not everyone does you know.

So, I’m not trying to be uncooperative - I truly do not have a reliable, unchanging answer to ANY of these questions - and THE WHOLE POINT of the questions is that I be able to answer them the same way months or years from now.

Since I couldn’t come up with a way to answer the second question, and could go no further in setting up 2FA without doing so, I contacted Webroot support, expecting that perhaps they could provide an alternative. What was their answer?

“ I would recommend coming up with an answer and writing it down somewhere so you can reference it later. “

Yes, you read that correctly.

WEBROOT SUPPORT WANTS ME TO WRITE DOWN THE ANSWER TO THE SECURITY QUESTION!

To me this demonstrates a fundamental lack of understanding of the most basic principles of information security - from my internet security provider!

 

Am I wrong here?


3 replies

Userlevel 6
Badge +17

Hey @shaferbus ,

Welcome to the community forum!

Thank you for writing up your very detailed critique of our 2FA question setup. I think you definitely have some very valid points here. I’m going to forward this thread to our product team and make sure it goes to the right people. Perhaps this will help them make 2FA better moving forward! I’ll let you know if I hear anything back from them. 

-Keenan

Userlevel 6
Badge +24

@shaferbus 

 

A suggestion on my part (and one that I’m aware of a lot of InfoSec people recommending) -I find that one of the best ways to work with security questions is to give them a “false” answer that only you would know.  These can be relatively consistent if you make them so.

 

Great examples are (not necessarily Webroot ones) the following:

“What is the middle name of your oldest brother?” -Pick this kind of question when you don’t have an oldest brother. Pick a consistent answer.

“What was the name of the first album or song that you purchased?” -Pick an incorrect something you can always use as an answer.   It doesn’t even have to match an album or a song if it’s something that you can always keep track of, and if it isn’t an album or song, it would would be harder to guess.

Using phrases (with no spaces) may also be a good option for questions. They don’t have to be correct to the question, just something you’ll always know.

 

Badge +3

@DTMT 

 

I understand what you’re getting at - a made-up or “nonsense” answer to a security question is far more secure because it cannot be gleaned from any personal knowledge a bad actor may gain about the user. Someone could conceivably be able to figure out my brother’s middle name if I have one, but the fake brother with the fake middle name is un-guessable - but I’m still stuck with remembering what the fake name I made up some time ago was if I forget my password. 

That wouldn’t be such a chore if I used only the Webroot site, or if Webroot was the only site that used security questions. However, that is far from the case, isn’t it?

Perhaps a passable method is to have a single nonsense answer that I use with all security questions…? Usually sites with security questions make you answer more than one - it would be interesting to know if there is any built-in rule preventing the same answer to all of them. (Otherwise, I won’t know until the time comes which of the security questions I will be asked, and if they all have a different unrelated answer, I’m back at square one).

The more reliable option is to honestly answer well-crafted security questions. It is indeed a bit less secure, but it actually WORKS In Real Life! It actually does the job without the inherent danger of recording the answer anywhere. I’m not saying it’s easy coming up with questions whose answers couldn’t be easily found with basic research methods (like mother’s maiden name, to cite the classic example). I’m trying to think of some factual personal questions that might apply universally, and it’s problematic to say the least. Perhaps a longer list of possible questions would help, as it would increase the chances of finding one a user could answer definitively…? I mean, if you were going to present 50 questions for the user to choose from instead of 5, chances of one being memorable to any particular user obviously increase.

An alternative that I’ve seen occasionally used in the past is to allow the user to compose their own security question, and then answer it. Haven’t seen that in a while, so I wonder if there are issues with implementing something like that…? Now THAT could be a very secure model if every site used it, because a user would have a small set of question/answer pairs, so they could actually be expected to remember them even if they are false, nonsense, or very complex!

All of this is similar to the problem I’ve always had with all of the recommendations and requirements for “strong” passwords that advocate giant unintelligible strings. I completely understand that a password that is long, using diverse characters, and avoiding known spellings is certainly going to be more secure than “password”. Any of us can make up and remember ONE hella password that would keep a brute-force cracker busy for a long time. Unfortunately it becomes unreasonable when you multiply it by the number of systems and sites a user actually needs to access In Real Life! I know I’m well into the hundreds of username/password pairs. Aren’t you? And how many of those will you have to change in the next 90 days?

If it is unreasonable, then users simply are not going to do it, and they WILL find another way! Let’s face it - Users are already writing too much down, and will continue to do so. Why are we reinforcing that bad behavior, both with passwords and security questions?

I try to use a password manager wherever possible to create strong passwords without having to write them down (I’m not in love with that either, and it only works with some sites, but one can only do so much), but that doesn’t help with “security questions”. I DO try to avoid recording any kind of credentials. That’s why I’m taking issue with Webroot’s current set of security questions - because they are so subjective, I can’t answer any of them reliably, so I’m being FORCED to write something down because it’s unreasonable to expect that I will remember this particular made-up answer exactly should the need arise.

Reply