Should Answering Security Questions Really Be Considered Two-Factor Authentication?
In another airline-hedge fund technology parallel, United Airlines recently introduced a new two-factor authentication system for MileagePlus frequent flier program members. Great, right? Well, maybe. Maybe not. The system has been receiving criticism of late from those who don’t consider United’s security practices as true two-factor authentication (2FA).
Here’s how it works.
When a member attempts to log into their account from a device that is not recognized by the airline, a user will be asked to answer two security questions. During account setup, the flyer’s answers must be chosen from a provided dropdown list, meaning the answers are predefined and, hence, not unique to each customer.
To dispel some of the concern, Ben Vaughn, United's director of IT security intelligence, has stated that the dropdown menu options stop hackers from being able to do keystroke logging and automated attacks to gain access to accounts.
Time will tell if United’s 2FA system is successful in preventing security breaches for airline customers, but in the meantime, let’s review the common types of two-factor authentication, since the kind United is using is actually the weakest:
Knowledge-based, which centers on something you know such as a password or answer to a security question. This is the most commonly used authentication factor and potentially the weakest if strong password and change requirements are not enforced. Firms should require passwords to be at least 12 characters in length, changed at least every 90 days, and not be reused. Employees should also be trained on safe computing practices (i.e. don’t share your password or use the same one for everything.)
Possession-based, which is linked to something you have such as a cryptocard, mobile device or ATM card. When using a mobile device, for example, a one-time password (OTP) can be generated to provide access for only one login session or transaction.
Inherence-based, which is tied to what you are such as a fingerprint or eye scan. Apple notably introduced inherence factor authentication with its iPhone TouchID biometric fingerprint reader. Another place this factor is common is for granting access to a data center – firms may want to use biometric screening as a second authenticator.