Why you should not be using Personal Information for 2FA

In the digital era, it’s important that we find ways to safeguard our data, and our methods to secure our accounts are continually advancing. A widespread yet increasingly problematic security measure is the use of personal questions, often termed “security questions.” While seemingly harmless, inquiries such as “What was your mother’s maiden name?” or “Where were you born?” introduce considerable security risks. This article will examine why personal questions are a weak security component and should be disregarded, explore the core reasons behind their inadequacy, and suggest more robust alternatives.Fundamental Weaknesses of Personal Security Questions

Personal security questions aim to use unique, memorable information as a secondary authentication method. However, this approach is inherently flawed due to several key vulnerabilities:

1. Publicly Accessible Information: With increased usage of Social Media profiles our personal information can no longer be considered private.
2. Restricted and Predictable Answers: The range of possible answers for many typical security questions is surprisingly narrow and predictable.
3. Susceptibility to Social Engineering: Human nature makes individuals vulnerable to manipulation, and security questions exploit this weakness.
4. Fixed and Unalterable: Unlike passwords, the responses to personal security questions are often immutable.
5. Difficulty Recalling Exact Answers: Even genuinely private information can be misremembered or incorrectly entered.

Detailed Examination: Deconstructing Each Weakness

Let’s examine each of these critical weaknesses in more detail:

Publicly Accessible InformationThe rise of social media has blurred the distinctions between public and private information. What was once considered confidential is now frequently discoverable through a simple search. Consider these examples:

• “Where were you born?” – Your birthplace is often listed on social media profiles and public records or easily deduced from your connections or shared experiences.
• “What was your mother’s maiden name?” – This information is frequently available through genealogy sites, obituaries, or online family trees. A determined attacker could assemble it from various public sources even if not directly posted.
• “What was the make and model of your first car?” – Many people share posts about their first cars on social media.
• “What was the name of your first pet?” – Pet names are often used in social media profiles or shared in general online discussions.

Attackers, using advanced data mining and open-source intelligence, can quickly gather sufficient information to bypass these “security” measures and render them useless.Restricted and Predictable AnswersThe nature of many security questions limits the spectrum of possible answers, making them susceptible to brute-force attacks or educated guesses.

• “What is your favourite colour?”: While many colours exist, most people will select from a relatively small group (blue, green, red, black, etc.). An attacker could rapidly try the most common colours.
• “What month were you born?”: There are only 12 possible answers.
• “What is your elementary school?”: For many, this is a local school with a common name, making it easier to guess, especially if the attacker knows the general geographic area.

This limited variety means that even if an answer isn’t publicly available, the chances of an attacker guessing it correctly are significantly higher than guessing a strong, complex password.Susceptibility to Social EngineeringIndividuals are often the weakest component in any security framework. Hackers are able to exploit this vulnerability through Social engineering; security questions offer fertile ground for such attacks. A skilled social engineer can:

• Impersonate a trusted entity: Impersonating a bank representative or tech support, they might subtly extract answers to security questions during a seemingly legitimate conversation.
• Employ psychological manipulation: Through a series of seemingly innocent questions, an attacker can lead a victim into revealing information that answers a security question. For instance, asking about childhood memories or family history can inadvertently reveal details about a first pet’s or parent’s maiden name.
• Exploit personal connections: Attackers might research a victim’s friends and family, then use that connection to gain trust and extract information.

Because security questions rely on personal, often emotionally significant, information, individuals may be more prone to revealing them under deception than they would a complex, seemingly random password.Fixed and UnalterableOne of the most critical weaknesses of personal security questions is that their answers are often unchangeable. Unlike a password that can and should be changed regularly, your mother’s maiden name or birthplace remains constant throughout your life.

• If an attacker compromises one of these answers, that information remains compromised indefinitely.
• You cannot “reset” your birthplace or first pet’s name.
• This makes security questions a single point of failure. Once compromised, they provide no ongoing protection.

This static characteristic means that a breach involving security questions can have lasting and severe consequences for your online security.Difficulty Recalling Exact AnswersThe ironic aspect of security questions is that even when the information is private, users often forget the precise wording or capitalization they used to set up the answer.

• Was it “John’s dog” or “John’s dog”?
• Was the full name of my elementary school used or an abbreviation?
• This leads to user frustration and lockouts, as the system requires an exact match.
• To avoid this, users often opt for easily memorable (and thus easily guessable) answers, further diminishing their security.

This human fallibility directly undermines the very purpose of security questions, making them both insecure and inconvenient.

Adopting Better Options

It is evident that personal security questions, despite their widespread use, are a deeply flawed security mechanism.

Their vulnerability to publicly available information, limited answer pools, social engineering, unchanging nature, and even user forgetfulness make them a risk rather than a safeguard. Relying on them for authentication is comparable to unlocking your front door in a busy city.Fortunately, far superior alternatives offer strong and dynamic protection for your online accounts. It is time for individuals and organizations to move beyond the outdated concept of personal questions and embrace more secure multi-factor authentication (MFA) methods.Here are some highly recommended alternatives:

• One-Time Password (OTP) Devices: Dedicated hardware tokens that generate a unique, time-sensitive code (OTP) every 30 or 60 seconds. Since the code changes constantly, even if an attacker intercepts one, it will be invalid within moments, rendering it useless. Examples include RSA SecurID tokens.
• Authentication Apps (e.g., Duo Mobile, Google Authenticator, Microsoft Authenticator): These smartphone applications serve a similar role to OTP devices but use your mobile device. They generate time-based one-time passwords (TOTP) or can send push notifications for approval. They are convenient, widely supported, and significantly more secure than security questions.
• Hardware-Based Security Tokens (e.g., YubiKey, Titan Security Key): These physical keys offer the highest level of security. They typically use strong cryptographic protocols (like FIDO2/WebAuthn) to authenticate users. Plug the key into your computer’s USB port or tap it on your phone to log in. They are resistant to phishing, malware, and even sophisticated attacks.

Replacing personal security questions with strong MFA solutions is not just a suggestion, ubt an essential change to protect our digital lives and our personal data. By making the change today, you can secure corporate accounts with the strong protection they need.Password Express provides the tools you need to migrate away from security questions, and provide strong authentication factors across your enterprise.