I just heard about an organization – who shall remain nameless to save them embarassment and reduce their risk exposure – who is seriously considering doing the following:
- Eliminate security question enrollment and authentication using security questions from their internal, corporate password reset system.
- Instead, ask each user to enroll their personal e-mail address (i.e., @gmail.com, @yahoo.com, etc.)
- If a user forgets their corporate AD password, send a PIN to their personal e-mail address that will then be used as the sole form of authentication.
Now maybe you’ve been living under a rock, but it seems to me that a bunch of consumer-facing web sites have been hacked in the past year or two. That means that this organization would lower the security of their corporate systems and applications to the security of public e-mail systems, which are vulnerable to phishing, keylogging attacks, DNS poisoning attacks, cookie stealing attacks, PC malware and who knows what else.
In short, no security at all.
I’m amazed that any corporation would consider such a thing.