I've Screwed My Kid's Identity

Posted by Ross Poulton on Tue 09 April 2013 #online security #parenthood #identity

Last month, this website passed it's ten-year anniversary. It's a quiet milestone, but it's humbling to know that my website has been online for more than half of the age of the "Commercial Internet" 1. I was online for a long time before 2002, but always in a less organised fashion than you see here.

Since I was an adolescent, I have been online. I was part of the first generation of teenagers to start getting themselves into trouble on the Internet by over-sharing personal details (This was never a problem for me, but I'm not sure why teenage-me shied away from being TOO personal.)

I try not to be too scared by stories carried by "news" and current affairs programs on TV where untold numbers of naive young Internet users share information, as in many cases it appears to be hyper-inflated news stories on top of parents looking for "justice" for their children, who most certainly understood what they were doing in the first place.

However I'm very cognisant of the fact that I'm putting much of my son's private information online. He'll be part of the first generation of internet users not only to not know of a pre-internet society, but whose history has already been shared without their knowledge.

Without his knowledge (and certainly without his permission), his mother, uncles, aunts, and I regularly and voluntarily publish information about his life in public arenas: Facebook, Twitter, Flickr, and even this blog contain voluminous details of my son's life from the moment he was born through to today. While most children & teenagers online are (hopefully) wise enough not to tell everybody their exact date of birth and their parents maiden names, we've already done that for our kids.

Based on the way Internet trust works today, in 2013, this information is benign to us but dangerous to our children. When my son signs up for his Facebook or Gmail account2 he's going to be asked for his mothers maiden name, his date of birth, and his first dogs' name to use as future proof of account ownership.

The problem is clearer now - my son's online accounts will not be safe because of the actions of his family decades in advance.

So what are we going to do about it? In reality it's too late; we cannot take back what we've already published about our kids. We also can't expect parents to stop bragging about their kids and posting photos - it's probably also not possible to expect parents to even understand the gravity of their oversharing because it isn't oversharing as far as they're concerned.

As an example, I have no qualms telling you that my dog is named Abby; this information is useless to you from a security viewpoint though as that's not my first dog's name. For my son, obviously, the timing is different to the tune of 27 years, so now you know the answer to that security question for him.

As new generations come online, it's time for the web to stop relying on static semi-personal information for identity. In 2013, it is no longer acceptable to rely on "security questions" to prove identity. The answer for lost online identities must be two factor.

Usefully enough, two factor authentication is already the industry-standard way to deal with high-security logins. Using hardware tokens, our mobile phones, or even old-fashioned e-mail and SMS to prove ownership of an account is the only way netizens can be safe for generations to come.

So my plea to websites on behalf of my kids is this: Stop using security questions.

  • Reset lost passwords using e-mail resets or SMS messages, not with security questions.
  • High-security accounts, such as bank accounts or e-mail accounts3, should use two-factor authentication by default
  • Security questions should die a quick and sudden death. The internet already has second generation users.

1. At least in the eyes of the general public, the Internet didn't really exist in Australia until at least the mid-nineties.

2. Or whatever takes their place in a decade from now - isn't that an exciting thought?

3. E-Mail is high-security because it is the single reset point for a persons entire online identity. It's no longer "just a Hotmail account".