Security Debunk: Security Challenge Questions

The security field has umpteen myths and quarks that people believe, giving them a false sense of security. One of the most common is security challenge-response questions.

This feature usually comes in the form of picking from a list of questions or supplying your own, and supply your answers.

In its basic form the challenge questions will be used as a poor mans two factor or as part of account recovery feature.

What is happening here?

People think that anybody but them would not be able to find or guess their the answers their personal questions. In reality this information is likely a click a way. Providing little to no additional security to your account, if anything making your account less secure, giving attackers an avenue to gain access to your account.

Attackers can obtain your information numerous ways, another breach if your information was among the millions of records stolen or leaked, social media, old account statements, etc.

Two Factor Authentication (2FA)

If you combine two components together you can improve your security posture greatly. A great example is bank ATM cards, this allows access to your bank account with position.

This would be a code from a virtual app, physical token, or text message to a mobile phone. My favorite physical token is Yubikey by Yubico. For virtual tokens I use LastPass Authenticator, but any 2FA app can be used, like Microsoft Authenticator or Authy.

Note: Text/SMS two factor methods have come under scrutiny recently do to attackers social engineering telco customer service agents to activate account on another SIM, aptly named SIM swap scam. This type of attack isn’t preventable by the user, as it’s an attack on the mobile carrier process not an attack on technology.


If you have to use security questions. Meaning there is no other service that provides what you want, consider choosing fake answers to your security questions. Answers that aren’t true will be harder to obtain or guess.

Happy secure surfing!

Jul 4th, 2019 • Posted in Access Control, Security
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>