You wouldn't expose a user's password on a desktop or online, right? Think of a security question and answer as...
an extension to a password.
Just as a reminder, here are some rules, or best practices, for safe handling of passwords that should be applied to security questions and answers, as well.
- The answers to a question, once answered by the user, should never be displayed again. In future instances when it would be displayed, it should be blanked out, or covered with asterisks, just like a password.
- If a user needs to reset the answer to a question, he or she should be redirected to that question and asked to answer it again.
- If a user forgets the answer to a question, again, just like resetting a password, he or she should be redirected to the question to re-answer it, or be sent to a question-reset page.
- If the user wants to add, delete or change a question, the same rule applies. He or she should be asked to start the question-and-answer process again from scratch.
Now, keep in mind there's one key difference between a question reset and a password reset. When a password is reset, it's a best practice for a system administrator or the help desk to issue a temporary password good only once and then only for a short period, say 24 hours. Once the user logs on with the temporary password, he or she is prompted for a new password, and the temporary password is invalidated. This way, the password is always kept secret and isn't accessible even to system administrators or the help desk.
This is because, unlike a password, security answers are almost always initially set up by the user, while initial passwords are usually set up by an administrator or other IT staff.
For more information:
Dig Deeper on Single-sign on (SSO) and federated identity
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ... Continue Reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.