Sunday, October 14, 2007

An authentication scheme cooked up by a pointy-haired boss

There was this article in Washington Post that reminded me of a conversation I had with a friend via his blog about authentication questions, the kind you have to answer in order to login to online banking systems and such. In this post he pointed out that security questions based on users' wishes, preferences and hobbies were useless. (My, has it been almost a year? It feels like we had this conversation just yesterday.) Well, things have only gone downhill in the security world since then, if this article is any indication.

This Is Your Life*... *As Determined by Confounding Identity-Protection Safeguards

Old authentication systems, as imperfect as their questions were, at least allowed you to select a question and an answer that suited you best (or that was less useless to you than others). But how would you like an authentication system that does not even let you choose the questions? Instead, it asks you your biographical facts that you are "supposed" to know. For example, your great-grandmother's birthday. I wish it was a joke, but it isn't.

How does the authentication system know your great-grandmother's birthday in the first place? To quote the article, "unlike traditional shared knowledge authentications, in which the user picks the test and the answer and regurgitates it with each sign-on, Verid [the company that makes this uniquely egregious kind of authentication software -- E.] vacuums public records for factoids, then tosses them at the user at random."

The birthdays of long-gone relatives are not even the most obnoxious example of authentication questions. Others are, for example, "what was your high school mascot" or "the name of your homecoming queen". So what do you do if you come from a country like mine, where not only high schools don't have mascots or homecoming traditions, but the very concept of high school does not exist (all grades from from first to twelfth are taught under the same roof. You don't have to change schools when you transition from primary to secondary education.) Well, OK, a non-existent homecoming queen of a non-existent high school would not appear in public records, and would not serve as a basis for an authentication question. But if you dared to forget her majesty's name, you are screwed. :-)

The article does address the issue that some people's lives don't follow a typical middle class American route, thus some people don't have, or don't remember, the biographical facts enabling them to answer security questions. What the article does not address, is the invasion of privacy committed by a company that "vacuums up the public records" and collects all the knowledge about you, up to your great-grandparents' names and birthdays.

Only a pointy-haired boss could have come up with this kind of authentication scheme. I just hope that the company I work for -- which happens to write software for online banking -- never comes up with something like this.

The best quote from the article:

"Computers are like very dumb people, but they're very fast at being dumb," says Jason Hong, a professor at Carnegie Mellon's Human-Computer Interaction Institute (HCII).

No comments: