05-11-2017 07:42 AM
The following are typical challenge questions that you answer when setting up an account:
In a paper, summarized at WWW 2015, the authors concluded that the secret questions are neither secure nor reliable enough to be used as standalone account recovery mechanism. They indicated that the questions/answers suffer from a fundamental flaw – that the answers were secure and difficult to remember or easy to remember and rarely both.
Challenge questions are also used sometimes as an additional layer of security to protect against suspicious logins. Here are some of their findings:
2FA tokens sent to users’ registered mobile devices (and devices themselves during registration of the account may be initially verified via a code sent to them over SMS) provide a much more secure and easy method to recover lost passwords and to validate suspicious logins.
The study concluded: “... site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.”