There is controversy as to whether secret questions and answers really add much to the security of a site. That said many major sites do rely on them. With more connected world and social media, secret answers are often available online with some research. The first decision is whether to use a secret question the user enters or make the user choose from a list. It is generally agreed most users will invent very poor questions that are guessable – What is my favorite colour?
Questions should be:
- Easily remembered
- Have a static answer
- Not guessable or discoverable
- Have a wide range of answers
Unless a help desk needs access to the answers to provide phone support to a user, the answers should be stored as hashed and salted i.e. comparable but not recoverable. If a help desk does needs access to them they should be encrypted. They are called secret questions, the clue is in the name the answers should be secret and kept security. Remember there are no good secret questions just fair or terrible ones so do not overly rely on this technique, but this I mean don’t let knowing a secret answer allow someone to steal an account. e.g. change a password, update an email. For major changes users should have to enter a password. If they don’t know the password let them recover it first.
Other good practice includes
- Do not copy questions from another website i.e. a bank – if you do this and lose the answers this would be a major issue
- Ask multiple question
- Validated the answers are different – this is prevent a user entering the a dummy answer over and over again
- Answers should be a minimum length e.g. don’t let the user enter “a”
- Answers that are public record or available by other means – social Security numbers, National Insurance, numbers Employee numbers, Health Registration numbers
- Don’t allow multiple attempts at entering a secret question answers – i.e. prevent brute force attacks