cronical
commented
3 years ago I think this is referring to private questions and answers often for the purpose of resetting passwords. This is opposed to a shared secret which is the password or PIN. Is that right Lance?
This needs to be incorporated into the BoK, probably in one of the Intro to Identity articles:
Would be good to include a passage on why using a shared secret, usually established by the customer, is a risky method for authenticating customers in that setting. These are risky for a number of reasons, not the least of which is that the secret is known by the customer (if they can remember it), the authentication system, and then the operator once they key in the secret.