
Ask HN: Using password with a random secret question user has stored? - happppy
Would it be secure enough if user has to answer a secret question after logging in and if he enter a correct answer, he is logged in application but if didn&#x27;t answered it correctly first time, then user is locked and an sms with some numbers is sent to user mobile number to get unlocked and repeat this process for max like 3 times and will be blocked forever unless admin unblocks after verifying the user manually.
======
Hackbraten
Secret questions don’t help with security but tend to make it worse. Not only
can they be phished conveniently along with the password, they also make for a
poor UX. Also, SMS is no longer considered a secure channel. Use a more secure
second factor instead, such as WebAuthn.

Blocking an account after a number of failed login attempts is an invitation
for DoS. Use a system of temporary blocks instead; for example, 2^n seconds
after the n-th attempt.

~~~
happppy
I was reading about WebAuthn. What if my security key gets stolen?

~~~
Hackbraten
One common method is to secure the hardware key with a PIN. The key will only
do its work (e. g. sign things) if the correct PIN is entered. It will also
destroy the secrets it keeps (or even itself) after a given number of failed
attempts.

If this is not feasible for some reason, you need to change or revoke your
secrets as soon as you know the key is stolen.

------
gtsteve
My bank does this and it was really annoying to have to create a table of
randomly generated values as answers to their questions. I refuse to give real
answers to stuff like this; I'm pretty sure if you knew my real-world identity
you could find my father's middle name without too much hassle for example.

I'd prefer it if they just used TOTP or FIDO as their second factor because
it's actual real security. Even SMS would be better than nothing.

