What You Should Know About Security Questions
Recently, I read an excellent article on TechCrunch about the security questions you have to create when setting up a new account. The discussion focuses on how studies have shown that many security questions may be too easy to really protect the account from attackers. General questions like “what city were you born in?” or “what’s your favorite food?” can be easily guessed by an English-speaking user and attacker who has the benefit of 10 attempts to try to guess your answer.
I found this interesting because there were many times when I questioned the point of creating a security question where most of my answers can be found on other social medias like Facebook. On Facebook alone I can see most of the common information for some of my friends, like mom’s maiden name, their dog’s name, high school name or the city they were born in. It makes me question why they even continue to use it or why they haven’t already created harder questions only the user would know. For example, what is the last name of the teacher who gave you your first failing grade? When dealing with questions like those, it is harder for someone to guess within ten times your answer unless they knew you personally or even failed the class with you. The idea is to give questions about something most would not share with people in normal conversation, which makes it even harder for someone to guess creating less likelihood the account can be hacked.
As we at Motifworks create SaaS-based applications, we make sure we implement secure engineering practices in the design and code. One of the many things Motifworks has been successful with in order to keep our customers feeling safe and confident is using more secure ways to protect customers data.
- Two-factor authentication: For authentication purposes, we recommend using two-factor authentication either via sms or a secondary email address as an extra layer of security.
- Tapproof Encryption: In some cases, we have used Tapproof Encryption to make the authentication more secure. For example, working on a security application for Safenet, we used Tapproof Encryption for Dropbox file encryption. Using this service Dropbox users were assured that absolutely no one has access to your files, not even Dropbox or Safenet, without their approval.
- Single sign-in: We also use single sign-in capabilities that will allow you to be logged out of your last device automatically once you have logged into a new one. This is a great way to alert the user that their account is used someplace else and will cut down on the chances of an attacker stumbling upon your account and hacking it.
- Monitoring sign-in locations: With this capability the user will be notified and asked to confirm if their account is being logged into from other places, especially if the account is being logged into from another country. When this happens our systems will automatically alert the user and will not allow the sign-in to take place until after the user has given confirmation through his or her email.
Here at Motifworks we take great pride in making sure our users feel secure and connected at all times.