Home > Ask the Information Security Experts > Questions & Answers > What type of protections should security question and answer authentication credentials have?
Ask The Security UK Expert: Questions & Answers
EMAIL THIS

What type of protections should security question and answer authentication credentials have?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security UK Categories
Meet all Security UK Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 09 October 2007
For a customer portal application, once a user has successfully logged in, should he/she be allowed to see his/her current security password-retrieval answer? Does it matter if the portal uses a single sign-on (SSO) system?

>
EXPERT RESPONSE
Security questions and answers are still authentication credentials, just like a user ID and password, or any other login credential, for that matter. As such, they should have the same protections as a user ID and password. Whether or not the portal uses SSO is irrelevant. A login is a login, no matter whether it comes through a single authentication system, or a complex one, like SSO.

You wouldn't expose a user's password on a desktop or online, right? Think of a security question and answer as an extension to a password.

Just as a reminder, here are some rules, or best practices, for safe handling of passwords that should be applied to security questions and answers, as well.

  • The answers to a question, once answered by the user, should never be displayed again. In future instances when it would be displayed, it should be blanked out, or covered with asterisks, just like a password.
  • If a user needs to reset the answer to a question, he or she should be redirected to that question and asked to answer it again.
  • If a user forgets the answer to a question, again, just like resetting a password, he or she should be redirected to the question to re-answer it, or be sent to a question-reset page.
  • If the user wants to add, delete or change a question, the same rule applies. He or she should be asked to start the question-and-answer process again from scratch.

Now, keep in mind there's one key difference between a question reset and a password reset. When a password is reset, it's a best practice for a system administrator or the help desk to issue a temporary password good only once and then only for a short period, say 24 hours. Once the user logs on with the temporary password, he or she is prompted for a new password, and the temporary password is invalidated. This way, the password is always kept secret and isn't accessible even to system administrators or the help desk.

This is because, unlike a password, security answers are almost always initially set up by the user, while initial passwords are usually set up by an administrator or other IT staff.

For more information:

  • Joel Dubin discusses if the password security policies used in knowledge-based authentication systems are doing more harm than good.
  • Learn if implementing two-factor authentication satisfies FFIEC requirements.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Authentication and Authorization
    Economic downturn raises risk of security breaches, insider fraud
    Brits accept biometrics to prevent rise in identity theft
    Setting up a remote access security policy
    Integrating biometric authentication with Active Directory
    Single sign-on implementation lets South Manchester doctors work more effectively
    Identity management still eludes most companies
    Smart card overcomes static PIN
    Understanding multifactor authentication features in IAM suites
    Bank security chief explains how to avoid internal threats
    Malware infections down 60% at UK firms

    Password Security
    Windows password security: System tools and policy
    Identity management still eludes most companies
    Understanding multifactor authentication features in IAM suites
    Worst practices: Exposing IAM blunders
    John Lewis dumps RSA tokens for phones
    EU crypto project Suphice mired in red tape
    How to prevent hackers from accessing your router security password
    IBM releases simplified Tivoli Identity Manager
    Top 10 access-related controls for PCI compliance
    What is the best way to securely change the local administrator password in a domain?

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    Chip and PIN  (SearchSecurityUK.com)
    UK Identity Cards Act  (SearchSecurityUK.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts