Best Practices for Security Questions in Web Apps

Question

I'm working on a web applications where - believe it or not- the users aren't required to provide their email address to sign up. These requirements can not change. The users will login to the system with an id and password just like any standard web site. The problem I'm facing has to do with user's that have forgotten their password. When they want to generate a new one, how do I verify their identity?

Initially, I was going to make the users choose a security question (from a list of 5) and provide an answer. If they ever entered the Forgot Password page, they would then have to enter their login id, as well as the answer to their security question. This seems slightly insecure, as the answer to these types of questions (mother's maiden name, birth town, etc.) are generally not that hard to acquire.

So here are some of my questions:

• Are security questions the best approach to this problem?
• If so, what are the best questions?
• How many questions should a user be required to enter the answers for?
• Is it necessary to put a CAPTCHA on the Forgot Password page?
• Is it better for users to generate their own questions?

Any help/comments/literature on this matter would be greatly appreciated.

Answer 1

Are security questions the best approach to this problem?

Since you cannot use any other means of authentication (such as email address, OpenID, etc.) this is the best you can do really. However, you could always add a "password hint" to the signup process.

• If so, what are the best questions?
• Is it better for users to generate their own questions?

It's much easier if you let the user write his/her own question as opposed to the stock "first car" or "first pet". This is a good failsafe as it (usually) provides a very difficult question/answer combo to randomly guess and is likely as secret as a password.

How many questions should a user be required to enter the answers for?

Allow for one question/answer combo.

Is it necessary to put a CAPTCHA on the Forgot Password page?

Well, there has to be some attempt to guard against brute-force attacks, especially from bots. I would use the same technology that SO uses: reCAPTCHA

Answer 2

I can't recall the location, but if you do a google search on knowledge based authentication, you'll ifnd that Q&A authentication is very weak. One significant problem is entropy (possible randomness) of potential answers and of actual answers. If you ask for a favorite color, there's really only a very small list of colors that most users will select. This might be worth 1 bit of entropy. Then, if you asked a second question, such as the city where you grew up, this might get you another bit or two of entropy (in Mexico, there's something like a 30% chance for each of 3 cities for this answer).

One estimate that I saw was that, to get equal strength to an 8 character password, you'd need about 26 questions.

That said, you might be able to do other things to contact the user. You could try sending a text message to the user, instead of an email - does the user register a phone number? You might have the user store a certificate on their computer, which they can upload along with the password reset request (you'd have to make effort to ensure this cert was tied to the computer). You might do a post-signup thing, where the user could submit an email address.

Good luck!