What's In A Question? Perhaps More Of Your Authentication Than You Realize

True story from a reader: A customer tries to log into his mobile phone account. He types his password several times, but he can't get in, and eventually the account is locked. Must have mis-keyed either the login or password, he figures. No problem, though, because the system asks him to enter his phone number, and then asks a security question: "What is your favorite ice cream flavor?"

The customer doesn't remember setting up this security question, but he guesses "vanilla." That works, and the system asks him to enter a new password. Once that's done, he has full access to the account—which he quickly discovers belongs to someone else, because he mistakenly typed in a phone number that's off by one digit. Oops.

Retail IT spends lots of time and effort trying to get employees to use secure passwords. It's harder to keep customers in line, but they can at least be prodded to choose longer, harder-to-guess passwords. Still, that's all wasted effort if the fallback security challenge question is ludicrously simple to guess. Favorite sports team? Favorite restaurant? Favorite band? Favorite vegetable? There's some security there. But favorite ice cream flavor? Way too easy.

For the record, vanilla is actually the favorite ice cream flavor of only 22 percent of Americans, according to a 2009 Harris poll. Vanilla wasn't even the top pick; 27 percent named chocolate. That still makes either choice a likely answer for a decidedly lame security challenge.

Yes, passwords are the best security you've got for customers today, and longer and more complex is better—most of the time, anyway. And true, challenge questions will always be a relatively weak link in the security chain; a dedicated thief will do the research to discover the mother's maiden name, high school mascot or first employer of a targeted victim. And yes, a security system that dumps the user of a locked account into a password reset system and then allows the user to re-select what account he'll be resetting the password for, is hopelessly flawed anyway.

Still, it's probably worth bolstering your second line of defense with a little more thought and creativity. That way, your customers' long, complex passwords aren't backed up by a challenge question that's plain vanilla.