This is a misunderstanding. The CS agent has access to a plaintext (security question) password that can be used under special circumstances. It must be readable to function.
My solution to security/recovery questions is to generate or make up ransom answers, and store the question/answer pair in the notes field of the entry in my password manager.
This kills the “knowing things about you” vector of phishing and impersonation and make it as secure as any unique and random password.
Or weirdly ethnocentric questions like “what’s your favorite food” with multiple choice answers like “spaghetti, pizza, hamburger”. Good thing everyone who recovers their password is American!
Or “what instrument do you play”, when multiple instruments I play are in the multiple choice list but only one can be correct. And what the fuck is the point of multiple choice security questions when anyone has a 1/10 chance of correctly guessing on any login attempt.
United Airlines is by far the worst major company I have ever seen in all of these and deserves to be shamed.
That assumes that there's no other way to get your password than by accessing the contents of your password manager. The service itself could have its passwords/hashes leaked, and people unfortunately do reuse passwords across services even with a password manager, so it's very plausible for someone to get your password but not the answers to your questions.
I didn't realize I would have to say the answers over the phone when choosing the answers (and thought it would only ever be me filling them in online)
The trick is to enjoy confusing humans and share the story of why when you get there. I went to the mall for the first time in a long time, every place wants to sign you up on the mailing list for a small discount. So they can email me at <Name of store>@mydomain this way I unsubscribe and if I see email coming to that address I know which store is the rat. They look confused, ask for 'a real address' well that is a real address I say, and here's why: ...
I don't see why the security question answer has to be stored in the clear. If you have to give it over the phone, the agent can type it into a form field that hashes it and compares, just like a password on the site.
Because security question answer have high variability for the average user. They're asked say, what street they grew up on. Is it "S. Main St." "South Main", "south main", "south main street", etc...
Security questions in general are terrible so don't take this as if it's in defense of them.
My favorite are the presumptive ones that assume something like "Where did you meet your spouse?"
Someone should just go over the top: "Who was the editor of your first successful novel?" "What investment did you make your first billion with?"
There's viral social media posts that do security answer farming with prompts like
"Your superhero name is the name of your pet + favorite teachers name"
You'd click on the comments and there's tens of thousands of people volunteering answers. Some are of part of the hustle to till the honeypot, but I'd see people I know comment on them with real information. It's wild
For some of us, finding our mother's maiden name is as simple as looking at our name, either because it is a hyphenated name or because there was a time when the government refused to acknowledge the existence of the father in certain cases.
It is very hard to come up with universally good security questions.
You add let's say, up to 3 peoples names and mobile numbers for recovery and then they are contacted requesting to reach out to you to authenticate.
Something like
"You've been added to X's web of trust for account recovery at example.com. If X needs to recover their account, we may ask you to confirm with them that it's genuine."
Then something like
"X is trying to recover their account for example.com. Please contact them within the next Y days to confirm it's genuine and if it is, respond with the the 4 digit recovery code X gives you"
Then from x's side:
"Your web of trust has been contacted. Feel free to contact them now and give them the pin YYYY so they can confirm this is genuine"
This approach pretty elegantly addresses a number of security question limitations and existing 2FA infrastructures shouldn't be that hard to modify in order to implement it.
Probably my favorite feature of this approach is it requires the various security code social manipulation scams to be successful against 2 people instead of 1 which is rather statistically unfavorable for the scammer.
A lot of people don’t want their trusted web to know what websites they are looking at? Think Grinder/other dating sites, financial/crypto, pornhub, certain message boards etc.
What city were you born in: “Millwaukee”. The agent would be able to tell it was Milwaukee, but if he or she typed “Milwaukee” it’d go “bzzzzt” just because the user typoed the input initially at set-up.
It's a security question to access information on the account over the phone. It's not used in the web based system, which is completely detached from the phone system.
This kills the “knowing things about you” vector of phishing and impersonation and make it as secure as any unique and random password.