Why we retired the security question

Jul 2, 2020  - written by  in Security

What’s your mother’s maiden name? What’s your favorite food? For years, Gandi customers who forgot their passwords and had the feature activated on their accounts, had to answer one of these “security questions,” to reset their password.

But that’s no more. In our new interface, we’ve retired the security question.

So what gives? Is your account less safe? Why did we retire the security question?

Knowledge based authentication

Security questions are a form of “Knowledge based authentication,” or KBA. That is, verifying identity based on a piece of information that “only” the person you’re trying to identify would know.

KBA—in particular the mother’s maiden name—has long been a staple of the banking industry. The logic was that tellers could quiz anyone trying to make suspicious withdrawals with a piece of trivia that a fraudster would be unlikely to know.

Nearly a century before everyone and their mother was on Facebook (not to mention decades before women started keeping the last name they were born into, even after marriage) a woman’s maiden name wasn’t well known outside of her family. What’s more, a would-be fraudster wouldn’t expect to be put on the spot by such arcane questions.

KBA became standard operating procedure in the financial sector, used to verify identities of people making all kinds of transactions and as banks along with the rest of the world slowly started making its way online, they brought KBA along with them and everyone soon became very familiar with being asked for their mother’s maiden name.

KBA even ended up embedded in the recommendations from organizations like the National Institute of Standards and Technology (NIST), who are often seen as the principle authorities on digital security standards.

That made it not such a huge leap for security questions to spread from the banking sector to be applied to the sticky problem of resetting passwords.

Fall back passwords

Traditionally, when you would forget your password, your main recourse was to contact customer service, who would then verify your identity over the phone or by email, and then manually reset your password.

Having to wait for support to be open, to respond, not only made the ordeal frustrating for anxious users just trying to get into accounts they’re locked out of, but it also has a real material cost in terms of work hours of support agents that need to be consumed by verifying users’ identities.

That’s how security questions ended up as perhaps the most popular password recovery feature out there, and by virtue of its ubiquity and that it came highly recommended by organizations like NIST, that’s how it ended up as an extra opt-in add-on to Gandi’s password recovery system.

Security questions used for password recovery security, then, became a sort of “fall back” for your password. If you can’t remember your password, you can probably remember your favorite food.

You might already see the problem, then.

Who doesn’t like pizza?

If your security question is a fall back for your password, then what good was having a password? Used simply as a fall back password, security questions actually made accounts less secure. After all, facts like “mother’s maiden name,” are not so top secret information for targeted attacks.

Just ask Paris Hilton, who’s phone was hacked in 2005 through the security question “What is your favorite pet’s name?” (Hilton’s chihuahua Tinkerbell, was a staple on her well-followed social media accounts).

But even if you don’t have a public persona, and if you don’t use easily discoverable questions like “mother’s maiden name,” and opt for “favorite food,” that doesn’t mean you’re any safer.

In 2015, Google published their study of the security question in which they found that “pizza” was the answer about 20% of the time to the question “What is your favorite food?”

False sense of security

So what about harder questions than that? Google also found that 40% of users in the US couldn’t remember the answers to their security questions, and 9% in the case of “very difficult” questions like library card number, meaning these users will all have to go back to the tried-and-true method of contacting support.

Gandi’s password recovery system was never so flawed as to make security questions a password fallback. Guessing the answer correctly would only launch a password reset email to the account owner’s email address, not provide access to the account.

When users can’t remember their security question answers, they end up, you guessed it, contacting support.

What it all boils down to, then, is that security questions don’t really provide any added security at all. At best, they provide a false sense of security. At worst, they actively frustrate the process they were meant to facilitate.

Why we retired the security question

For all of these reasons, security questions are no longer recommended, either by NIST or by authorities such as CERT-FR and when it came to building out our new interface, Gandi chose to eliminate them as well.

Multi-factor authentication

So if security questions aren’t safe, what is? We suggest using multi-factor authentication.

An authentication “factor” is a category of credential used for verifying someone’s identity. The categories are often summarized as: something you know, something you have, or something you are.

If your security depends on a password and a security question, that’s still just “something you know” and “something you know.” Gandi offers two-factor authentication based on multiple “factors”, something you know (a password) and either something you have (a timed one-time password or a USB key) or something you are (biometrics like fingerprint readers).

How to reset your password

That leaves how to reset your password.

From the account login page, you just need to click on “Forgot Username or Password?” and provide your account’s security email address to reset the password. We will then send the email with a link to reset your password.

If you need to update your security email, just click on your username in the top right when logged in to your Gandi account, click “User settings” from the drop down menu, then “Manage the user account and security settings.” Next to “Account information, click the green “Edit” button to change the email address.