Nay, answer me. Stand and unfold yourself.
Long live the King.[/quote]
The business of challenge-response authentication used to be easier. They had swords; we have cryptography. Who’s better off?
We have passwords, which must never be simple enough to remember and must not be written down on a slip of paper in our desk drawer. So we forget them and call tech support.
But they don’t want us to call tech support (expensive) so they give us a back door: a “security question.” If we can just tell them our mother’s maiden name …
But anyone can find out our mother’s maiden name, so the security questions are getting tougher. And now we arrive at the problem. They are too tough for me.
What was the name of your first pet?
Do you mean my first serious pet, a beagle called Gibbs? Or the lizard I sometimes called Chameley (spelling unknown)? According to official government guidelines for authentication by federal financial institutions, this is an example of “shared secret” authentication. “Shared secrets (something a person knows) are information elements that are known or shared by both the customer and the authenticating entity.” Here are a few more from the current list used by the Department of the Treasury:
You were born in what city?
Google it. Some secret.
What was the first car you owned?
Admittedly you can’t Google this one. Also I don’t remember.
Who would you most like to meet?
Seriously? Living or dead? I could come up with someone, but it won’t be the same tomorrow.
What is your favorite movie?
What is the location of your dream vacation?
These are “information elements,” all right. But knowledge is not fixed. Information elements can be ghostly and ephemeral. Some have half-lives measured in minutes or milliseconds. Like quantum states, they are subject to observer effects and the uncertainty principle.
There is a website called goodsecurityquestions.com. But that is bravado. There are no good security questions.
# # #
(Meanwhile, I seem to be losing my ability to make out the captchas. Is it just me?)