Security Questions Considered Harmful

Presented at BSidesLV 2015, Aug. 5, 2015, 10 a.m. (25 minutes)

Many sites require users to provide answers to "security questions," which are typically used as part of the account recovery process. This talk will explore the nature of these questions and answers, and present problems associated with this practice.

Presenters:

• Jim Fenton (Altmode Networks) - Internet Technologist - Altmode Networks
  Jim Fenton is a consultant and researcher with a focus on user-centric identity, messaging, and Internet privacy and security issues. His primary consulting focus is currently in the area of user authentication standards, currently supporting the National Institute of Standards and Technology (NIST). He is an active participant in the Identity Ecosystem Steering Group and is an advisor to Disconnect, a maker of Internet privacy tools. Previously, Jim was Chief Security Officer at OneID and a Distinguished Engineer at Cisco, where he focused on issues affecting trust in the Internet. He is an author of RFC 4871 (DomainKeys Identified Mail, DKIM), RFC 4686 (DKIM threat analysis), and RFC 5617 (DKIM Author Domain Signing Practices).

Links:

• https://bsideslv2015.sched.com/event/3ukL/security-questions-considered-harmful
• https://infocon.org/cons/Security BSides/BSides Las Vegas/BSides Las Vegas 2015/Security Questions Considered Harmful Jim Fenton.mp4

Similar Presentations:

• DEF CON 23 (2015) / Questions and Answers
• DEF CON 20 (2012) / Kevin Poulsen Answers Your Questions
• ToorCon San Diego 1 (1999) / Security Panel: Questions and Answers.