|
|
|
|
|
|
by m0rganic
2990 days ago
|
|
|
The pupose of the “security question” is simple.. if a user needs to recover their password then the next best way to verify authenticity of the password reset request is to verify they know the answer to a few pieces of information they have previously shared with the service. In the age of mobile devices and 2FA, this becomes a lot less relevant but is still a very viable alternative because it’s accessible and difficult to crack if done right. |
|
|
Typically access to the account would come in a 2nd factor form like clicking on a reset password link from an email account that is yours and previously configured for such service. Only then would you be allowed to provide a new password to recover the account. Brute force protections like ensuring only a finite amount of failed attempts are necessary.