Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What type of protections should security question and answer authentication credentials have?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What type of protections should security question and answer authentication credentials have?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 09 October 2007
For a customer portal application, once a user has successfully logged in, should he/she be allowed to see his/her current security password-retrieval answer? Does it matter if the portal uses a single sign-on (SSO) system?

>
Security questions and answers are still authentication credentials, just like a user ID and password, or any other login credential, for that matter. As such, they should have the same protections as a user ID and password. Whether or not the portal uses SSO is irrelevant. A login is a login, no matter whether it comes through a single authentication system, or a complex one, like SSO.

You wouldn't expose a user's password on a desktop or online, right? Think of a security question and answer as an extension to a password.

Just as a reminder, here are some rules, or best practices, for safe handling of passwords that should be applied to security questions and answers, as well.

  • The answers to a question, once answered by the user, should never be displayed again. In future instances when it would be displayed, it should be blanked out, or covered with asterisks, just like a password.
  • If a user needs to reset the answer to a question, he or she should be redirected to that question and asked to answer it again.
  • If a user forgets the answer to a question, again, just like resetting a password, he or she should be redirected to the question to re-answer it, or be sent to a question-reset page.
  • If the user wants to add, delete or change a question, the same rule applies. He or she should be asked to start the question-and-answer process again from scratch.

Now, keep in mind there's one key difference between a question reset and a password reset. When a password is reset, it's a best practice for a system administrator or the help desk to issue a temporary password good only once and then only for a short period, say 24 hours. Once the user logs on with the temporary password, he or she is prompted for a new password, and the temporary password is invalidated. This way, the password is always kept secret and isn't accessible even to system administrators or the help desk.

This is because, unlike a password, security answers are almost always initially set up by the user, while initial passwords are usually set up by an administrator or other IT staff.

For more information:

  • Joel Dubin discusses if the password security policies used in knowledge-based authentication systems are doing more harm than good.
  • Learn if implementing two-factor authentication satisfies FFIEC requirements.


    • BROWSE BY TAG
    Identity Management and Access Control,   Enterprise Single Sign-On (SSO),   Enterprise Identity and Access Management,   User Authentication Services,   Password Management and Policy,   Identity Management Technology and Strategy,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key
    Can any firm or organization get a digital signature certificate?
    Should the CTO have domain administrator access?

    Enterprise Single Sign-On (SSO)
    How to log in to multiple servers with federated single sign-on (SSO)
    Security on a budget: How to make the most of authentication tools
    Best Identity and Access Management Products
    Changing times for identity management
    Kerberos configuration as an authentication system for single sign-on
    How to use single sign-on for Web access control to prevent malware
    Learn about enterprise strategy for server virtualization single sign-on
    Enterprise single sign-on: Easing the authentication process
    Exploring authentication methods: How to develop secure systems
    User provisioning and SSO for PeopleSoft- and Unix-based products
    Enterprise Single Sign-On (SSO) Research

    Password Management and Policy
    Two-factor authentication, vigilance foil password theft
    Group to shed light on secure identity management threats
    Brute force attacks target Yahoo email accounts
    Best Identity and Access Management Products
    Privileged account management critical to data security
    Making the case for enterprise IAM centralized access control
    How to prevent brute force webmail attacks
    Best practices for a privileged access policy to secure user accounts
    Mature SIMs do more than log aggregation and correlation
    PCI compliance requirement 2: Defaults

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    onboarding and offboarding  (SearchSecurity.com)
    single sign-on  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts