I was thinking about this for a while. Say we have an app for which there is an admin console, and we need to provide access to the admin console over the browser (yes, HTTPS).
For authentication, instead of asking for a password, would the following be more secure?
- Prepare a set of very uncommon questions of very very wide scope the answers to which hardly friends or family would know. And at-least it is safe to assume that no one person would know the answer to all those questions altogether. These questions can be stuff like minor stuff that happens in your life, and don't matter enough that you will tell anyone.
- Store answers to these questions in a normalized form. So trim whitespace, remove punctuation etc. And hash-salt them just like you do with passwords.
- On login, ask these questions in random order, (and ask only a part of the questions, so that the set is different the next time the hacker attempts to login). At the end, verify all the answers together, and if they are valid, log the user in.
I am wondering if this will be any more secure than the present methods around. If not, is there something I am missing?
Aucun commentaire:
Enregistrer un commentaire