Become a Patron of Ask Leo! and go ad-free!
Hi, everyone. Leo Notenboom here for askleo.com. I got a very interesting and actually fairly frustrated comment the other day on one of my articles having to do with how Microsoft accounts can get easily “locked out” if you will. The problem is this one if you haven’t heard of it before.
The issue is that if you’re traveling, and you’re using, you’re trying to access your Microsoft account, your Hotmail account, your Outlook.com account from some place other than you normally do, some other country or some other location on the planet, Microsoft will probably ask you for an additional verification step to prove that you are who you are.
That additional verification usually takes the form of a text message sent to the alternate phone number on file with that account or a message or an email message sent to one of the other email accounts, the alternate email address that you have associated with the account.
The frustration is that especially when traveling, many people don’t have access to the text message or the phone that would receive the text message, or they don’t have access to this other email account; they’re counting on being able to use their Microsoft account while they’re traveling and as a result, without access to these alternate verification mechanisms, they have no way to log in to their account.
The frustration was simply this: Why can’t they just ask me a couple of security questions and let me get on with my life? Well, the problem is security questions really aren’t that secure anymore. I mean, they were never really very good. I mean there’s a lot of us who have the common security questions have pretty easily understandable answers.
Now, you may not know my mother’s maiden name or the name of my first pet, but a lot of people have fairly common answers to those kinds of questions and a lot of the questions, to be honest weren’t even that sophisticated. A lot of online services are now moving away from using security questions as a secondary way to validate your identity.
In a lot of ways, we really have ourselves to blame because even for those relatively secure security questions, something interesting has been happening because a couple of days after I got that comment from the individual on that article, I happen to be on Facebook and sure enough, up through Facebook came another one of those quizzes.
“What kind of something are you” or “What’s your Hobbit name” or any of those kinds of things. I’m sure if you’re on Facebook at all you’ve seen these things. The problem is that most of these quizzes actually take your personal information in either of two ways. The most common is simply that they ask you a very seemingly innocuous question. For example, “What’s your Hobbit name?” Well, your Hobbit name might be based on the month of your birth. So as soon as you pick a Hobbit name and post it publicly on your Facebook timeline, well, anybody paying attention now knows what month you were born in.
That same technique can be used and in fact is used and in fact is being used for all sorts of different seemingly innocuous pieces of personal information except that when all that information is collected, in other words, over the course a couple of weeks you participate in a few of these quizzes and you answer some of these quizzes and you post publicly, your Hobbit or whatever it is that these things are asking about, somebody paying attention, who’s collecting this information can over time build a fairly complete picture of a lot of your personal information.
It starts to come close to a dossier, actually. It was a word I was toying around with. It seems a little bit strong but when you think about it, simply answering these quizzes with information about yourself, actually makes this kind of information public. And that’s actually without even the Facebook app needing any special access, just posting the answers to what kind of a “whatever you are”, actually makes this information public to any body paying attention.
Now, of course, on top of that, there are Facebook applications that themselves, before you even can participate in the quiz, they actually ask for permission to access your Facebook profile and of course they can slurp up all sorts of data based on whatever it is you contain or whatever it is you put in your profile but the issue is that these seemingly innocuous quizzes and games and whatnot on Facebook and probably other social media sites, they can cause you to inadvertently expose a tremendous amount of information about yourself.
It may be encoded; you may not know that Frodo means January but there it is. They do. So, that’s kind of put another nail in the coffin of security questions and answers because a lot of online service providers know that security answers and security questions, they were never that great to begin with and with what’s happening in social media today, the security is being eroded at a fairly rapid rate.
They have to go to alternate means to confirm your identity. So, what does that really mean for you? What should you be doing because of this erosion of the security question as a viable means of secondary identification? Well, for one thing, security questions are still in use. They’re going away; they’re slowly going away. I’m actually surprised at the number of accounts that no longer use them but there definitely are accounts that continue to use them.
Don’t answer those quizzes. Don’t play those games on Facebook that cause you to explicitly or inadvertently reveal personal information about yourself. That’s kind of a no-brainer. The other issue though is that because accounts are using other mechanisms to confirm your identity when they feel they need to, make sure that those mechanisms are in place, that they are up to date and that they will work when you need them. In fact, my recommendation is that for your most important accounts, your email accounts when you are traveling, your banking accounts, whatever it is, whatever accounts would concern you, use all of the available secondary mechanisms that they provide.
If they provide security questions, great! Give them answers. A best practice for security questions and answers, by the way, is to have answers that have no relationship to the question. Your mother’s first name may be “Orange” and that is completely nonsensical but they don’t care as long as you can provide the right answer to that question if it gets asked to you in the future.
Also, make sure that you’ve got an alternate phone number on there if they have that as an option. Make sure that there’s an alternate email address and most of important of all, make sure that those phone numbers and email addresses are up to date and things that you actually still have.
One of the very common ways that people are losing their accounts is they will actually take the time to set up that information when they set up the account. Life goes on. They lose that particular mobile number; they lose that particular email address and all of a sudden they’re left with no working alternate forms of identification for their primary email account.
So make sure you’ve got them all set. Make sure that they are up to date. In addition, get recovery codes. Many services now give you the option of creating a recovery code that you can keep with you in a safe place. Microsoft is one of them. If you actually create a recovery code before you need it that is another way that Microsoft can confirm that you are who you say you are when you need to confirm that; when you need to access your account and what they might consider to be a questionable situation.
But the most important thing of all is just be aware that security questions may not be enough. Recovery information, however much there is of it on your account needs to be there. It needs to be up to date and it needs to be something you can access when you’re in a situation that might cause your primary account to actually want to confirm that you are who you say you are.
So, as always, I’m really interested in what you have to say about this issue. Here’s a link to this article on Ask Leo! If you are viewing this video anywhere but on askleo.com, come join us there. That’s where the discussion. That’s where the moderated comments are. Until next week, I’m Leo Notenboom for askleo.com. Stay safe, have fun and don’t forget to back up.