Congress Wants to Ditch Security Questions

Citizens should get used to the fact that most of their personal information already is, or will be, public because of constant data breaches, a Congressional committee warned.

A recent large-scale intrusion into credit bureau Equifax is just one example. Another is a state-sponsored Chinese hack exposed 22 million peoples’ government background check information a few years ago.

Given that your personal information has likely been compromised at some point, it’s no longer safe to rely on security questions to access online accounts, representatives argued in a Thursday Energy and Commerce hearing. They pushed identity authentication experts on potential alternatives to “knowledge-based authentication,” but it’s still not clear what’s the most viable and secure method.

Retail companies and government services are finding that traditional verification methods aren’t as secure as they were in the past and “we need new strategies and new technologies to ensure that consumers are protected and that economic growth continues,” Rep. Morgan Griffith, R-Va., said during opening remarks.

Here are a few other takeaways from that hearing:

1. Turning to biometrics worries lawmakers and experts.

Though several lawmakers floated the idea of using biological information, such as fingerprints or iris scans to authenticate a user instead of relying on questions about a user’s mother’s maiden name or high school, experts raise concerns about entities collecting large amounts of biometric information on its users. “As we put our biometric information into databases, it becomes another commodity in the cloud,” Ed Mierzwinski, consumer program director at U.S. PIRG, an advocacy and research organization. Eventually, it becomes “another way that you can steal information about a consumer.”

2. A more viable solution might involve aspects of many different authentication models, but it’s not clear exactly what it looks like.

Rather than turning to biometrics or physical tokens as a solution, organizations need to accept one single knowledge-based authentication isn’t enough, said Troy Hunt, an information security author and instructor at Pluralsight, an IT and software development firm, testified Thursday. “We do have many other things available to us now, that we didn’t have two decades ago.”

3. Security features may need layering.

New authentication methods might work in conjunction with an ecosystem of “privacy-enhancing solutions,” Jeremy Grant, managing director for Technology Business Strategy at law firm Venable testified Thursday. That might involve websites that let you choose whether you log-in anonymously, or share your name, or share other information about yourself, he explained.

4. Smaller-scale hacking operations might try to commit financial fraud, but nation-states are likely after bigger rewards.  

Following the Office of Personnel Management hack in 2015, “I don’t think the government of China is looking to establish credit in my name,” Grant said. “They’re interested in looking through the 75-pages or so of my SF-86 [background check document] and figuring out of they can compromise me because I have a top secret clearance.”

As a result of that hack, he added, “all of my fingerprints are now sitting in another country somewhere. … I wouldn’t feel particularly comfortable using anything that’s doing remote match fingerprints to secure anything I care about.”