随着2013年Yahoo遭受安全漏洞影响30亿用户账户之后,安全问题的有效性备受质疑。一项2015年的Google研究表明,对于某些类型的问题,攻击者只需几次尝试就能有很高的概率猜出答案。此外,安全问题还存在文化背景限制和用户误解等问题。
说话一会一个主意人不能交
As I was setting up my account at Deutsche Bahn, I was surprised to see the following UI:
在Deutsche Bahn开设帐户时,我惊讶地看到以下用户界面:
After the 2013 Yahoo security breach that compromised 3 billion user accounts, it should be common knowledge by now that security questions are a terrible idea. Why are they still a thing?
在2013年Yahoo违反了30亿用户帐户的安全漏洞之后,现在应该知道安全问题是一个可怕的主意。 为什么它们仍然是东西?
他们很容易猜到 (They Can Be Very Easily Guessed)
The main idea behind security questions is they’re safe and memorable. But with today’s social media, anyone can scroll over my posts and figure out the name of my high school mascot, and if I can remember it, then probably a lot of people can too.
安全问题背后的主要思想是安全和令人难忘。 但是,利用当今的社交媒体,任何人都可以滚动浏览我的帖子,弄清楚我的中学吉祥物的名字,如果我能记住它的话,也许很多人也可以。
This 2015 Google study has confirmed that with only a single guess, an attacker would have a 19.7% chance of guessing an English-speaking user’s answer to the question “What is your favorite food?”.
Google于 2015年进行的这项研究证实,仅需猜测一次,攻击者就有19.7%的机会猜测英语用户对“您最喜欢的食物是什么?”这一问题的回答。
With 10 guesses, an attacker would have a 24% chance of figuring out Arabic-speaking user’s answer to the question: “What was your first teacher’s name?” and a 39% chance of guessing a Korean-speaking user’s city of birth (and a 43% chance of guessing their favorite food).
有了10个猜测,攻击者将有24%的机会找出说阿拉伯语的用户对以下问题的回答:“您的第一个老师叫什么名字?” 并有39%的机会猜出说韩语的用户的出生城市(还有43%的机会猜出他们最喜欢的食物)。
Many different users also had identical answers to secret questions you’d typically expect to be unique, such as “What’s your phone number?” or “What’s your frequent flyer number?”.
许多不同的用户对通常希望唯一的秘密问题也有相同的答案,例如“您的电话号码是什么?” 或“您的常旅客号码是多少?”。
Then, 37% of people deliberately provide false answers to their questions, thinking this would make them harder to guess, when, in fact, it made it even easier to figure out.
然后,有37%的人故意为他们的问题提供错误的答案,以为这样会使他们更难以猜测,而实际上,这样做更容易弄清楚。
他们可能是蛮力的 (They Can Be Brute-Forced)
We demand a user enters a password that contains lowercase and uppercase letters, numbers, and special characters.
我们要求用户输入包含小写和大写字母,数字和特殊字符的密码。
But we hide the account recovery mechanism behind a silly question that can be brute-forced? This doesn’t make any sense to me!
但是,我们将帐户恢复机制隐藏在一个愚蠢的问题背后,这个问题可以被强行强加吗? 这对我来说毫无意义!
他们对用户做出错误的假设 (They Make Wrong Assumptions About Your Users)
Maybe in the Western world, people can find security questions relatable. But I didn’t have a pet, I’m not good at remembering people’s names, and I was never married, so I never went on honeymoon.
也许在西方世界,人们可以找到与安全有关的问题。 但是我没有宠物,我不擅长记住人们的名字,而且我从未结过婚,所以我从不去度蜜月。
Growing up in North Africa, I didn’t even know what a maiden name meant because where I come from, women don't take their husband's names.
我在北非长大,我什至不知道娘家姓的意思,因为我来自哪里,女人不取丈夫的名字。
So that left me with what’s your favorite dish, and anyone who knows me can guess what that is.
这样就给我留下了你最喜欢的菜,任何认识我的人都可以猜得出那是什么。
That’s a terrible user experience that excludes anyone who isn't from the same cultural background as the person who developed the application. By doing so, we compromise their privacy because we narrow the questions that they might find relatable.
这是一种糟糕的用户体验,将与开发应用程序的人不同文化背景的人排除在外。 这样做会损害他们的隐私,因为我们缩小了他们可能认为相关的问题。
结论 (Conclusion)
Today, many available services make authentication integration seamless.
如今,许多可用服务使身份验证集成变得无缝。
Please implement a proper two-factor authentication flow instead of compromising your users’ privacy.
请实施适当的两因素身份验证流程,而不要损害用户的隐私。
And next time someone asks me what my favorite dish is, it’ll be something like cOüs;Coū!68$!
下次有人问我我最喜欢的菜是什么时,会像cOüs;Coū!68$ !
说话一会一个主意人不能交
扫一扫
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
