The Field Report with Tom Field

Too-Easy Authentication?

Too-Easy Authentication?

About a year ago, when I logged in to do some routine internet banking - check balances, transfer some funds - I was met by a new security page that wanted to better protect my assets.

No longer could I simply enter a user name and password, then be given the keys to my financial kingdom (or campsite, as the case may be).

How secure is my kingdom if the kindergartener knows how to lower the drawbridge? 

Now I would have to answer three key questions - the answers to which only I would know - and only then, after verifying my identity, would I be given access to my accounts.

Made sense. Sounded great, actually. Here was my proactive bank reaching out to shield me from the ravages of identity theft. How ... cool. I should buy more bonds.

But then I mentioned this to a security-savvy friend, who shook his head and asked me "What are the questions?"

Proudly, I rattled them off:

What's your favorite color?
What's your favorite sports team?
What sports team do you most like to root against?

Immediately, my friend tore into my bank's questions, declaring them useless.

"How hard is it to guess someone's favorite color?" he said. "Chances are, most people pick red, blue or green."

Well ... got me there.

"And you live in New England, right? And the Red Sox and Patriots both are winning?"

True ...

"And what's that anti-Yankees chant that always breaks out at almost any New England function? Pretty easy to pick out the team you root against."

Suddenly I didn't feel so secure.

He was absolutely right. By abandoning some of the standard security questions that really do help distinguish us - city of birth, mother's maiden name, first pet's name, etc. - my bank had settled upon a set of security questions that, frankly, my kindergartener could answer.

How secure is my kingdom if the kindergartener knows how to lower the drawbridge?

Which makes me wonder: In this era of multi-factor authentication, what security questions are your institution placing in front of your customers? Are you asking smart questions that only the account holder could answer? Or are you throwing out softballs that a five-year-old could hit over the fence?

Fraudsters don't need much. Let them get a toe in the door, and they'll bleed an account dry.

So, what is it for you? Two- or three-factor authentication? Or too-easy authentication?

Share your thoughts with me; I'll publish the best of them here.

About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.