Who the F*#K Thought Security Questions Were A Good Idea?
With the recent devaluation of Lifemiles, I decided it may be time to sign up for United's MileagePlus, just so I have an account for the next time a bonus comes around in the off chance I may want to take it up.
Anyways, back on to the actual topic of this post, during the registration, I was prompted with this screen.
WTF, I honestly believe this has gone too far. Not only do they want you to fill in 5 'Security' questions. They then randomly ask you them during the login process.
Now I fundamentally disagree with the whole premise of security questions, in almost all circumstances they actually have the inverse effect and reduce the account holders security. As a result, I generally just put bogus 18 characters randomly generated passwords in the answers and be done with it. But in the case of united, they now want to ask me the damn questions each time I log in.
Come on United, If you want to provide better security spring for the few cents required to send an SMS two-factor-auth token to the user during the login process like so many sites now do. You are just providing poor user experience under the false illusion of security.
The irony to this is, I bet some auditor is sitting in an office somewhere putting a tick against a todo list saying 'improve mileage plan security'!!.
I witness this same idiocracy every year when I have arguments auditors about password policies. People don't seem to understand that the more complex you make a password policy the more insecure it actually ends up being as you force users to start to do stupid things like form patterns, write passwords down, all use the same password. Trust me I have personally witnessed all of these things happening.
So why do security questions exist then?
Well, in general, they came about as a way to strengthen the forgot my password process and help validate the actual identity of the person rather than just rely on a simple email reset link.
My issue is that we have such better ways of doing this now! One time passwords are easy and cheap, by either sending the user an SMS or using an OTA app on their phone you can do a much better job at ensuring identify.
Not to mention that many 'Security' questions can easily be guessed with a small amount of social engineering.