Many companies are starting to realize that password reset questions are a gaping hole in their security strategy. Questions like “What is your mother’s maiden name?” are continually abused by hackers as an easy entry point into an online account.
The problem with password reset questions is that an effective question requires two different things:
Memorability- The user needs to remember the answer
Security- The question cannot be guessed or easily discoverable
While this seems somewhat obvious, creating a question that effectively meets both of these criteria is almost impossible with today’s landscape. Hacking skills are no longer required to easily discover personal information online.
Common password reset questions tend to fall in two buckets:
Memorability (High), Security (Low) i.e. What is your favorite pet’s name?
Memorability (Low), Security (High) i.e. What is the license plate of your first car?
In fact, it is almost impossible to develop a question that has high memorability and high security. This challenge to create the “perfect” password reset question can be solved by introducing phone verification as the password reset mechanism. When a user forgets a password, they are sent a one-time code via voice or SMS to their pre-registered phone. Once the code is entered correctly online, they can create a new password.
Phone verification presents the perfect balance between memorability and security:
Memorability (High)- User does not need to remember anything since the phone number is pre-registered
Security (High)- A hacker would need the user’s phone to gain access to their account
As more companies adopt TeleSign for password resets, hackers will no longer be able to abuse the gaping security hole of password reset questions. Adapting this technology will not only make accounts more secure, but also take away the hassle of always trying to remember the answer to an unnecessary question.
Want to give it a try on your web or mobile app? Sign up for a free trial of our APIs!