personal verification question

The Personal Verification Question: Password’s Dumb Cousin

Multiple passwords are bad. They lead to low security and high user dissatisfaction. What’s worse? Pretend security in the form form of the Personal Verification Question. Security theatre at its finest. From banks to insurance.

As you can see in the screenshot, I am required to select 3 ‘personal verification questions’ from this list of questions. And, if I were to answer honestly, any social media would have my answers. Seriously, how secure do you think the info is on where I went to high school? (hint: Mars)

So, instead of increasing my security, these personal verification question make a hassle factor. I have to make up some unique string for each, and then store it in my PGP keyring, since someday they may ask me one of them. Its actually worse in my opinion than the password. And, some day, a confused agent will be on the phone w/ me wondering how it is my first car was a eiH{ahFae7oh.

51ee0edd image

Why can this site not use my existing Identity? Sign in with Google? Its tied to my corporate persona. Instead, yet another password, times 4, which I would guess are stored in plaintext (the personal verification question must be since presumably some agent will ask me this some day). So how long until they are hit with ransomware which exfiltrates the data?

A simple single-sign-on with external identity provider + multi-factor authentication would be much stronger, and much simpler. The Personal Verification Question is not multi-factor (for that you need 2 of something you are, something you know, something you have, see here for more info). So its not actually increasing the security. But, worse, it makes it seem like it is. So false security arises.

So, who will join me in the security uprising? We can demand better, simpler, more secure, all at once. Less identities, less questions, more secure.