June 8th, 2009

Security Questions now Required for Administrators

LuxSci has long supported and recommended the use of security questions for users.  When a user has a security question and answer, LuxSci support can use this as an alternate method of verifying the user’s identity.  This is important when the user has forgotten his/her password or certain types of requests need to be verified.

While we have allowed users to provide a security question for many years, and have asked new account administrators to provide one at sign up for about the last year, use of a security question has never been mandatory.  Starting today, all account and domain administrators are required to have a security question.  Those who do not will be automatically prompted to choose one the next time that they login to the LuxSci WebMail user interface.

Users can choose a pre-defined question, or enter a question of their own.

We hope that this change improves the security of accounts and assists account administrators in recovering access quickly in cases where passwords are lost or where there is a dispute about account ownership.

If this change goes well, we will extend the security question requirement to all users.

2 Responses to “Security Questions now Required for Administrators”

  1. Jeff Tyrrill Says:

    I’ve never been quite comfortable how to fill out “secret questions and answers” for services, but I usually feel I have no choice except to create basically another “password” (randomly generated characters), and store it using the same due caution and care I store all my passwords with. Depending on what service it is, that includes storing it in my smartphone’s electronic wallet (which is encrypted with a password I memorize or store only in a much more highly secure location), in case I might be required to provide it when not at home.

    The reason? Simple. Many services will provide full account access without a password with ONLY the secret question/answer provided, such as Yahoo. These services typically provide no warning to the user how they will implement account recovery, or that the name of their first pet, or their birthday, which are not secure information (and most critically, cannot be “changed” if compromised) are the weakest link in providing access to their account. Furthermore, I can’t research every service to see what their policies are, or stay on top of services in case a future regime changes the policies.

    Most suggested “questions” that services have me provide are, if not matters of public record about me, definitely not secret. I would never want to have to mentally keep track of what facts about my personal life I can’t, say, reveal on a blog years later because oops, it’s protecting the security of some service I use.

  2. Erik Kangas Says:

    We completely agree that security questions are generally just alternate passwords — as that is the general intent. When providing a secret question and answer anywhere, one should assume that that information can be used for provide access to the account in the absence of the usual password — even if that is not explicitly stated. One should choose a good question and answer.

    LuxSci explicitly states, everywhere that it asks users to provide a security question, that “If you ever forget your password, we will ask you a secret question that you supply to us. If you answer the question correctly, we will be able to help you regain access to your account. This security measure helps to prevent unauthorized people from accessing your account.”

    There are certainly pros and cons here:

    * Having a security is better than just having an alternate email address to which a password can be sent.
    * Having a good security question makes it more difficult for people to try to access your account by pretending that they are you and that they just forgot your password

    * If you make an unintelligent choice of security question, then it may make it easier for people to get at your password.

    LuxSci believes that the pros outweigh the cons because:

    * The people who pick very poor security questions are generally the same folks who choose very poor passwords to begin with — so the poor security question may not be really decreasing their security much

    * Unlike many web sites, LuxSci does not allow users to retrieve or reset their passwords in an automated fashion by just answering their security questions online. We believe this is too insecure. Instead, a lost password request sends a notice to LuxSci support and does not reveal the secret question to the requester at all. LuxSci support then manually review the request and its context and such and determine the best way to proceed. Is it fraudulent? Are there special notes? Is the security question stupid and should not be used? Do we know the user and the context? Etc. We may, for example, send the security question to the users pre-configured alternate email address for answering instead of to the address requested. It all depends on the information at hand. We believe that in this context, the extra information provided by the security question helps tremendously.

    * We see many, many legitimate cases of lost passwords where there is little or no information that is available to verify the users’ identity. In such cases, we have to spend a lot of extra work tracking down such information or people who can verify the user. With the security question (and other information in a user’s profile filled in) we can proceed to quickly restore access to such people.

    For anyone who is still not comfortable with providing a security question, we recommend using our option of “providing your own question”. You can either:
    * Enter random strings in the question and answer — thus essentially making it not usable, or
    * Using it as a place to put a secondary password that you save, or
    * Pick a really good and personal question

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.