[sinaiman]

Are there any positives for security questions?? Well, I suppose secret questions are good for preventing brute force account recovery. You can't expect to beat security questions in a timely way with an automated attack. You would usually have to rely on manual search or social engineering, as pointed out by the article. But the real question is, why even allow account recovery via a publicly accessible web form in the first place?

So, I definitely agree with the article, there has to be a change. You sure can beat security questions (at least in their current state), but it's probably much harder to get around something like email or SMS verification.

Chase.com and cardmemberservices.com are good examples of SMS/email account verification done right, which I've used with great success, but both of these sites already had my personal phone number, so SMS verification just makes sense for them.

I suppose SMS verification is probably the closest thing we've got to real user verification at the moment, am I silly to consider this the ideal venue for account recovery?

The big issue, then, is it's definitely harder to get a user's phone number than to get their mother's maiden name, but skipping all that extra input and having a simple account recovery email should do the trick, shouldn't it? Most of the times you're already collecting user emails.

Well, the biggest issue with email is that an email account can also be compromised. Perhaps getting big email companies like Gmail to remove security questions from their apps in lieu of SMS verification is the next step, while everyone else just relies on email-based account recovery (unless SMS is an option). If email security was more rock-solid, then email verification is all we need, right?

[reemrevnivek]

Disagree - Security questions are much easier to brute force than passwords. Assuming that you can send an answer to the database quickly and automatically, and that you can select your dictionary based on the question, most of the questions are easy.

Names? http://www.census.gov/genealogy/names is a good database for the US; 1,711 names will get you the top 50% of last names for "Mother's maiden name", questions. 59 male names and 138 female names also represents 50% of the population (Yes, we're pretty unoriginal). There are <100,000 first and last names in total which cover 90% of the population. (not combinations)

Birthdates? There are 365 days in a year, so 36,500 numbers will cover this one.

Last N digits of your drivers' license/social security number/credit card? There are 10^N such numbers. N is often 4, which is a measly 1,000 numbers.

Pretty measly stats.

[sinaiman]

I see your point and suppose I stand corrected for the most common cases, so then I'm really wondering what the benefits of security questions are. They generally degrade the user experience and provide a publicly accessible avenue for compromising a user account.

[derobert]

SMS verification would be a lot more useful if cell companies didn't insist on charging over $1 million/GB for them (well, unless you sign up for their text messaging plan).

Thankfully, Chase does email as well.

(Verizon: 20¢ ea., so 1GB / ( 160 bytes/ea) * 20¢/ea = $1,342,177.28. Though you can get a plan for 250 for a mere $134,217.73/GB.)

I hope I did the math above wrong.