However it relies on sufficient information already being stored about the user, and on this information being hard for an attacker to obtain. This approach avoids having to ask the user to provide specific security questions and answers, and also prevents them from being able to choose weak details. System defined security questions are based on information that is already known about the user. However, users will often choose weak or easily discovered answers to these questions. These are easy for applications to implement, as the additional information required is provided by the user when they first create their account.
Common examples are "What is your favourite colour?" or "What was your first car?" With user defined security questions, the user must choose a question from a list, and provide an answer to the question. Security questions fall into two main types. The answer to the question must be hard for an attacker to obtain. The user must be able to answer the question. The answer to the question must not change over time. The user must be able to recall the answer to the question, potentially years after creating their account. Choosing Security Questions ¶ Desired Characteristics ¶Īny security questions presented to users to reset forgotten passwords must meet the following characteristics: Characteristic
#CHEAT HAPPENS FORGOT SECRET QUESTION HOW TO#
While there are no acceptable uses of security questions in secure software, this cheat sheet provides guidance on how to choose strong security questions for legacy purposes. See SP 800-63B sec 5.1.1.2 paragraph 4: Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets. Account recovery is just an alternate way to authenticate so it should be no weaker than regular authentication. WARNING: Security questions are no longer recognized as an acceptable authentication factor per NIST SP 800-63.
Insecure Direct Object Reference PreventionĬhoosing and Using Security Questions Cheat Sheet ¶ Introduction ¶
Allowing Users to Write Their Own Questionsįorgotten Password or Lost MFA Token Flow