Challenge Questions Must Die
There are better ways to manage two-factor authentication than this unusable scourge.
Those who’ve had the pleasure of working in close proximity to me have seen and heard it a thousand times: a deeply furrowed brow; a quick curse uttered not-so-quietly beneath my breath; a rhetorical question posed to the universe—my goto being “who the f*ck would do that???” All are hallmarks of the onset of a troubled software rant, for which I have become mildly famous in the halls of OX.
Today’s rant is about the use of challenge questions like those pictured below as a means of performing two-factor authentication (2FA), which is a fancy term for proving you are who you say you are when logging into a website or digital service.
What’s wrong with this picture?
Quite a lot. Let’s start with usability. First, the questions have to be relevant to the user. Take the very first option in the list above: “What sports team would I like to see lose?” If you’re like me and don’t watch many professional team sports, you’d be hard-pressed to name which team you’d like to see lose the most. Second, the answer to that question is likely to change between now and potentially three or four years from now when you’re asked to provide the correct answer to this question again. Third, there may be several correct answers to the question that could be returned as incorrect. For example, Chicago, Chicago Bears, Bears, and The Bears could all be incorrect correct answers.
Next, let’s look at these from a security perspective. While some challenge questions may be relatively benign and carry little personally identifiable information, others may be quite sensitive. Your mother’s maiden name, for example, is often one of the questions asked by financial institutions. If ever there was a security breach and the answer to that question wasn’t adequately encrypted, you will have just left a vital piece of personal information exposed to the dark web.
There is a better way
The good news is there are some really great 2FA alternatives out there. Among the most widely used is the SMS security code, now a virtually ubiquitous form of 2FA used in financial services. Sure, just because you have a person’s phone doesn’t necessarily mean you are that person. But the odds are pretty high. And the fact that you also have to make it past the phone’s lock code only increases those odds.
Even better are a host of third-party mobile 2FA apps rising up in the ranks. Authenticator for LastPass is one of my favorites, and seamlessly addresses many of the aforementioned issues.
Authenticator, and similar apps like it, works a lot like the old RSA Secure ID tokenized keychain fobs of yore that were common to high-security interfaces like banking.
Unlike the hardware-based approach taken by the likes of RSA many moons ago, today’s approach is entirely software-based. The Authenticator app generates a random code every 30 seconds for each account you set up. When prompted by the site you’re trying to log into, you enter the code that currently appears in the Authenticator app. A secure digital handshake between the two services confirms the validity of the code and there you have it—2FA achieved.
Even better, Authenticator can use FaceID and verify that the user trying to access the app is actually the right user, thereby upping the ante from 2FA to 3FA. That, in turn, accounts for the unlikely use case that an unauthorized user has gained access to your phone.
It’s early days for services like Authenticator and adoption is not yet nearly as wide as SMS.
But we’re confident they will take hold quickly, especially when they become more tightly bound with password management systems already in use. Yes, it’s a bit of a nuisance that you have to have your phone with you in order to complete a log-in to a site you use frequently, but aren’t we already strapped to them 24/7?
We get it. Time is often tight and resources scant. Something as seemingly minute as your approach to 2FA doesn’t always take center stage when there are so many other battles to fight.
Yet, design is a process of choices made—consciously or not. And customer experience, like a customer’s understanding of brand, is a stack effect; it adds up over time, often the result of a series of seemingly inconsequential moments exactly like this. A little extra attention paid to them can pay great dividends in the long run.