Section 8.5. Some Examples of Current Practice

8.5. Some Examples of Current Practice

Challenge questions are used at a variety of web sites, often in combination with additional protections such as mailing to an address of record (typically an email address). For example, web email sites such as Yahoo! and Hotmail, and e-commerce sites such as Amazon, eBay, Chapters, and FutureShop, each use challenge questions in support of account recovery. In addition, online banking services similarly support a challenge question system.

From a privacy point of view, personal information is sometimes used as part of identification during recovery for some of these systems. Several banking sites use personal information (shared secrets) as part of account recovery. This is perhaps not too surprising, as the personal information used was related directly to information already retained by the banks. However, some of the web email sites, for example, do collect additional personal information (such as a date of birth) with the apparent, sole purpose of recovery.

From a security point of view, of those solutions in which a user registers a recovery question, only one such question is registered. In most cases, the use of personal information, or mailing to an address of record, is used to provide additional security. In cases where recovery questions are used, users are asked to choose from a list of questions (an option described earlier as a "fixed question").

8.5.1. About the Author

Mike Just is a policy and business strategist with the Canadian Federal Government. He is also an adjunct professor at Carleton University. His interest is in ensuring the delivery of secure yet usable online solutions for government. Prior work includes federal government IT security policy development, and work as an information security specialist at Entrust. He holds a Ph.D. in computer science from Carleton University and is active in the computer-security community.