I couldn’t agree more with Rik Ferguson and Davey Winder – the password reset process is stupid. Worse than being stupid, it is often the loophole in good account security. We recently demoed how easy it is to guess or search for the answer to someone’s password reset question at RSA. Players were given a series of typical password reset questions and access to a standard social profile page. We didn’t even think to ask something as simple as birthday but I can tell you we should have brought more gift cards and prizes because just about everyone could guess or search the answers with about a 90% hit rate.
Many enterprises and online services providers have already added two-factor authentication to their login process and several of those providers have already replaced email and password reset questions with two-factor authentication as well. The process is pretty simple and offers a greater level of security. A user provides their phone numbers at account creation. When they forget their password, as many of us do, they receive a one-time authentication code via voice or SMS. Instead of waiting for an email and answering questions they wrote the answers to several weeks or months ago, the user just provide the code sent to their phone.
The other problem I have with password reset questions is that I can’t seem to remember what my favorite pet was the day I answered the question or which of the two elementary schools I used as my answer. The user experience is cumbersome and annoying.