Yesterday, Yan Zhu (@bcrypt) pointed out on Twitter that United Airlines Mileage Plus program has started collecting answers to security questions. They have a new twist: you must select one of a menu of answers.
United wants the answers to five questions, chosen from a list:
These are somewhat creative questions, which is good because they’re less likely to be shared with other sites that could be compromised. But what’s also interesting is that one of the questions Yan tweeted about, “What is your favorite pizza topping?” does not appear here. Perhaps United is presenting different question choices to different people, or perhaps they agreed that mashed potato was too strange a choice to have.
What really stands out about United is doing here is that the answers, rather than being typed by the user, must be chosen from a list. As I pointed out in an earlier post analyzing the security answers in the Ashley Madison database, there is a lot of variation in the way these questions are answered, and it’s not possible to store the answers as a salted hash (as one should for passwords, which is what these really are) and allow a fuzzy match. For example, someone who went to Central High School might enter “central”, “Central”, “Central HS”, etc., or they might spell the answer wrong entirely. Choosing an answer from a list instead removes that problem.
But what other problems are introduced? The most obvious is that the number of choices (and therefore the amount of entropy, or randomness, in the answer) is limited. Here is the number of choices offered for each of the questions:
- Favorite vacation type: 17
- Best friend’s birthday month: 12
- Favorite sport: 54
- Favorite ice cream flavor: 44
- Month met spouse/SO: 12
- What you wanted to be: 91
- First car: 116
- Favorite sea creature: 38
and so forth. In the best case (if the answers are equally likely), the probability of guessing the right answer is 1/N. But these answers are far from equally likely: there are going to be many more people whose first car was a Chevrolet than a Tesla. And, as with many security questions, that assumes that the answers aren’t obtainable elsewhere, such as social media. It’s far more likely that someone who has posted a picture of their pet greyhound on Facebook is going to cite that as their favorite dog breed than, say, a Treeing Walker Coonhound.
Many of these questions don’t evoke obvious answers for me. Favorite artist? I like many. Favorite flavor of ice cream? Depends on what mood I’m in.
The use of specified answers also keeps users from supplying nonsense answers to the questions, which can be considerably more secure than direct answers to the questions.
In conclusion, United seems to have traded one problem (imprecise answers to security questions) for some others (low entropy, low memorability of the correct answer). United is giving us 30 days to complete the security questions (and change our password, by the way) before this becomes mandatory. Let’s hope there is enough of an outcry to convince them that this is an ineffective technique that potentially degrades, rather than improves, security.
Insecurity Questions 
And of course it’s entirely possible that many people who don’t have a favorite pizza topping, favorite type of reading, favorite fruit or vegetable, etc., will simply give up and pick the first answer in each drop-down list (which BTW are all in alphabetical order), because that’s the only way they can hope to remember their responses to these inane questions.
LikeLike
The situation with United Airlines new “insecurity” questions is even worse than it appears on the surface. Even though United asks you to provide answers to 5 security questions, each with 12-116 possible answers depending on the questions you select, someone attempting to hack your account does not need answers to all 5 questions. The forgot password option only requires someone to know your MileagePlus number, first name and last name (many people display that info on their MileagePlus luggage tags that they attach to their checked and/or carry-on bags). Then the user is presented with 2 security questions. United presents a drop down list of possible answers to each question, with only 10 answers to choose from in each list. So even if you selected the security questions with higher numbers of answers, United will narrow them down to 10 choices anyway. Bottom line, if someone knows your MileagePlus number and name, they have a 1 in 100 chance of guessing your security question answers. Correct choices allow you to reset the password immediately, rather than a reset password link being sent to your email account. This is about the least secure implementation I have ever seen.
LikeLike
I’m waiting out a reset to my United account thanks to this inane system. I could not find five (!) questions that I could answer truthfully and memorably, and as you note I couldn’t do what I usually do with these things: provide a high-entropy answer of my choosing. What person over the age of 10 has a “favorite sea animal”? I didn’t much like vegetables when I was a kid; which should I arbitrarily choose as my “least favorite”? When I couldn’t remember the password I was forced to change to, United locked my account, and when I couldn’t remember my basically random answers to these questions, there was no Plan B: their help desk could not unlock my account. It’s been sent to “corporate security,” and God knows what they’ll do with it. Going forward, my solution has two parts: 1) write down and carry around all United passwords and security answers, good practice be damned; and 2) fly American whenever possible.
LikeLike
With you on this one, Ron!
LikeLike
This is the most stupid and least user friendly way of security I’ve ever seen. I have no favorites and i find it hard to remember my picks.
I hate whoever came up with stupid idea!!!
LikeLike
What a ridiculous approach United has come up with here. Sure there are potential problems with asking my mother’s maiden name. But many of the questions that United’s web wallahs have come up with have no answer anyone can remember. Month I met my spouse? Favorite flavor of ice-cream? So we are forced to write them down and put them under our mouse pads. Or, as Ron says above, give up and fly American.
LikeLike
I didn’t think that United could be that creative in implementing the most user unfriendly and ineffective set of security questions – I don’t think I could choose more than three of the questions and thus had to make up the answers for the rest and write them down. Like many parents I manage the UA Miles accounts for our four kids too – the situation is mind blowing and a very firm turn off for UA. There are many other approaches UA could have implemented with key blogger protection ( the reason cited by UA for the mess ) while enhancing customer experience and security – they chose the worst option here.
LikeLike
I did this, and I just hope that my password manager never forgets my UA password!
Also, if they only give you 10 choices in the drop down, then they must be choosing nine filler answers each time. If they are doing this randomly, then it is even easier to find the correct answer (as it is the only one that appears on each attempt).
LikeLike