This post originated from an RSS feed registered with Java Buzz by Michael Cote. Original Post: Security questions and cheese-o 3+ ���factor��� authentication from PeopleOverProcess.com Feed Title: Cote's Weblog: Coding, Austin, etc. Feed URL: https://cote.io/feed/ Feed Description: Using Java to get to the ideal state. Latest Java Buzz Posts Latest Java Buzz Posts by Michael Cote Latest Posts From Cote's Weblog: Coding, Austin, etc.

James Ward points out that his MasterCard site is using a nifty system of selecting an image as a sort of shared token between him and MasterCard. If he doesn’t see the image he selected, he should immediately be suspicious that someone has hijacked his login and is doing a man-in-the-middle attack to capture his username and password. To his core point, technologically, it’s nifty and fun.

Also, as you can see in the screenshots, he has to at least 5 “security questions.” I haven’t had the pleasure of having to pick a shared token image, but, of late, I’ve had to setup a raft of security questions.

It’s driving me crazy.

Call me crotchety and naive when it comes to online security, but all I want is a username and password. More than that I start getting the pitch forks and village people. I really, really despise the canned list of “security questions” where you have to select 2-10 of them for your question/response. Writing your own is even worse.

Not only do I hate the extra time of entering and remembering this stuff, but it makes it difficult for my wife, Kim, to log in to our online banking account to pay bills, our phone account to check on services, or anything else. How’s she going to know the first name of my (non-existant) college roommate or the street number of the 5 different houses I “grew up in”? Now, ideally, the providers would provide multipule accounts…but, right, ho-ho, good one, tip your waiters and try the chicken…that’s going to happen for every single service out there.

The point is: most consumer applications out there are so sloppy that cleaning up one aspect of it (authentication) will break the sloppy-but-works workflow in the others. That’s the case with most technology, but it hits home in this case when Kim needs to pay that bill tonight and me with my extensive knowledge of my first pet, my favorite movie, and the first name of my closest childhood friend (I don’t even remember that!) is no where to be found. How we gonna pay that bill?

As I recall, there’s actually a law or regulation mandating using more than username and password to authenticate a user in the US. Maybe that’s folklore or a bad memory. Either way, I’m already dreaming of he days when all I needed was a username and password. Good times…

Technorati Tags: security, authentication, passwords

Share This