So I’m trying to set up 2FA for my Webroot console login. I plan on using an authenticator app, but I haven’t gotten far enough to actually make that happen because I can’t get that far in the process.
I would like to know if I’m the only one who finds the “Security Question” portion of setting up 2FA on Webroot to be foolish and insecure.
The problem is that before I can get to setting up my authenticator with Webroot, I have to choose answers to two “Security Questions”. Nothing new about security questions, right? You choose a question from those provided and put in your answer (usually something unique to the user’s life history). It’s a good way to avoid stolen passwords from allowing access to an account. It’s not foolproof - some bad actor could possibly know a user well enough to guess the answers - but it’s a fairly secure second-string method of verifying the users identity in the case of something like a lost password or other sensitive operation.
However, Webroot’s execution of this common everyday exercise renders it completely useless and unusable!
The first set of possible questions is fine - there are questions that have factual answers. For example, “What is your oldest sibling's middle name?”. The answer to that question is always going to be the same, not open to interpretation or opinion, and unlikely to remembered incorrectly. It is essentially immutable.
The problem comes in with the second set of possible questions!
They are almost all opinion-based, and opinions change over time. Those that aren’t opinions are questions that may or MAY NOT apply to every person. The choices are:
What was your favourite childhood food?
Who was your childhood hero?
If you had to choose a new first name what would it be?
What was the name of your first stuffed animal toy?
What was the first album or song you purchased?
Now let’s remember that THE WHOLE POINT of the security questions is that it be something that the user can answer off the top of their head, so even if something like a password is forgotten or mistyped, the user can ALWAYS be identified because they can ALWAYS readily give the CORRECT answer because it is based on their own personal knowledge.
So the first three questions are opinions - childhood opinions! - that assume that the user has already actually made a singular choice on a completely subjective topic. Who was my childhood hero? There were lots of them! Einstein, Ghandi, MLK, Spiderman - so how do I answer this question???
As for the other two - what if I didn’t have a stuffed animal toy? (I did, and it didn’t have a name). And I don’t happen to be a music lover, and I didn’t have money to spend on buying songs or albums when I was a kid. Not everyone does you know.
So, I’m not trying to be uncooperative - I truly do not have a reliable, unchanging answer to ANY of these questions - and THE WHOLE POINT of the questions is that I be able to answer them the same way months or years from now.
Since I couldn’t come up with a way to answer the second question, and could go no further in setting up 2FA without doing so, I contacted Webroot support, expecting that perhaps they could provide an alternative. What was their answer?
“ I would recommend coming up with an answer and writing it down somewhere so you can reference it later. “
Yes, you read that correctly.
WEBROOT SUPPORT WANTS ME TO WRITE DOWN THE ANSWER TO THE SECURITY QUESTION!
To me this demonstrates a fundamental lack of understanding of the most basic principles of information security - from my internet security provider!
Am I wrong here?