Alternatives to password-reset questions tackle social networking cons
Randall Gamby, Contributor, SearchSecurity.com
It seems that social networks are rife with the sort of personal information that many people choose as answers to the password-reset questions used to reset a lost or forgotten password. Today, these knowledge-based authentication (KBA) questions are a lot less secure than they once were, due to the open nature of social networking sites and the public's lack of understanding of what personal information is. Whether a person's full resume is posted on LinkedIn or friends on Facebook are constantly reminiscing about intimate high school antics, personal information is slowly leaking onto the public Internet and contributing to social networking cons.
How can an identity management professional regain strong association to ensure restoration of a person's authentication credentials while minimizing the risk of an attacker using publicly available information to reset a user's password and gain access to corporate systems and data? To answer this question, you need to rethink what technologies you use to validate an Internet-based end user.