Security Question is actually secure..?

Security is a type of myth and in the case of a human mindset, it’s the most vulnerable and simply exploitable thing. whatever we are not moving to that thinks so…

In this blog, I would like to discuss the topic called Security Question and Its demerits… After this blog, anyone has other thoughts about please share them too.

Security Question

The security question is a type of authentication process. In some cases, It behaves like just another password and most commonly it is used for password reset purposes.

In the case of a user, he made multiple random passwords for multiple accounts. That way he can’t remember hole thinks like a user created a social media account and he couldn’t access it for a long time. After this scenario, he wants to access that account but in this case, he forgets that password and he wants to reset it for accessing this account. Some common platforms are using security questions for this purpose and they have some pre-built in the questionnaire for this purpose. These questions are maybe about his personal thinks and anything related to him that means unforgettable or remarkable things like his vehicle number, pet name, brother name,..etc.

In the case of common people, what is the misleading in this.? They find nothing and they evaluate it's a good feature supported them for available their old account for reusing. But in the case of an attacker, he thinks so..?

How to a security question leads to an attack

In the case of web-based attacks, we following OWASP TOP-10 as the common standard awareness document. In OWASP TOP-10 2017 standard the A2 categorized attack is called Broken Authentication.

Broken Authentication means Incorrectly implemented authentication and session management calls can be a huge security risk. If attackers notice these vulnerabilities, they may be able to easily assume legitimate users’ identities.

That means in the case of security question also it’s applicable. That means I already mention some things about the Security question that is a security is should be set as a remembering one and it's also related to him.

In the case of an attacker with good social engineering capability. May helps him to find details about the victim and maybe it leads to an attack. If the attacker may have no direct interaction with that person but in this century it’s not a problem for collecting details about the common man.

Some Mitigations for this scenario

I would like to mention some kind of mitigations too.

1. Biometric Authentication:- Biometric authentication is unique and it’s not faked to an extend
2. Multi-Factor Authentication(MFA):- Multi-factor Authentication May leads to multi-layer security that means after the question section we would prefer a 2-Factor Authentication or other kind of security things too...