Security questions for online authentication – lying is the best policy!

When you sign up for practically anything online these days that has a password, you’ll be asked to provide answers for additional security questions, whether it’s for an additional level of authentication (for online banking), or just as a way of allowing you to authenticate to change a password that you’ve forgotten.

The trouble with these is that it’s relatively easy these days to find the answers to the most common security questions for another individual. In a world of social networks and Google, you can probably find out someone’s mother’s maiden name, where they were born and what their first school was fairly easily; perhaps they have a blog where you can find out the name of their pets, or other information that’s sometimes used.

The news that someone had gained access to Sarah Palin’s Yahoo account last month reminded me of this earlier post by Microsoft UK’s Steve Lamb, who tried to change his mother’s maiden name with his bank to avoid this very issue.

For a while, I’ve been using a legend, with a fake mother’s maiden name, first school, pets, etc, which only I know. This is of course something else that I need to remember, but if you’re going to take security seriously, you’re going to have to make a bit of an effort with it. Of course if you were going to get really serious about this, you’d have to use a different legend for each authentication system – it’s up to you how far you want to go – but I’d definitely recommend using a few little white lies to keep your online accounts safe.