Ask HN: Using password with a random secret question user has stored?

4 points by happppy ↗ HN
Would it be secure enough if user has to answer a secret question after logging in and if he enter a correct answer, he is logged in application but if didn't answered it correctly first time, then user is locked and an sms with some numbers is sent to user mobile number to get unlocked and repeat this process for max like 3 times and will be blocked forever unless admin unblocks after verifying the user manually.

4 comments

[ 5.6 ms ] story [ 20.5 ms ] thread
Secret questions don’t help with security but tend to make it worse. Not only can they be phished conveniently along with the password, they also make for a poor UX. Also, SMS is no longer considered a secure channel. Use a more secure second factor instead, such as WebAuthn.

Blocking an account after a number of failed login attempts is an invitation for DoS. Use a system of temporary blocks instead; for example, 2^n seconds after the n-th attempt.

I was reading about WebAuthn. What if my security key gets stolen?
One common method is to secure the hardware key with a PIN. The key will only do its work (e. g. sign things) if the correct PIN is entered. It will also destroy the secrets it keeps (or even itself) after a given number of failed attempts.

If this is not feasible for some reason, you need to change or revoke your secrets as soon as you know the key is stolen.

My bank does this and it was really annoying to have to create a table of randomly generated values as answers to their questions. I refuse to give real answers to stuff like this; I'm pretty sure if you knew my real-world identity you could find my father's middle name without too much hassle for example.

I'd prefer it if they just used TOTP or FIDO as their second factor because it's actual real security. Even SMS would be better than nothing.