Adding a new user to a system without requiring security questions is generally not recommended from a security standpoint. Security questions help protect user accounts by providing an additional layer of authentication beyond just a password. However, there may be specific use cases where security questions are not necessary or desired when creating a new user. This article will explain when it may be appropriate to add users without security questions, the risks involved, and the steps to configure user account creation without mandatory security questions.
When is it ok to add users without security questions?
There are a few scenarios where it may be reasonable to add users without requiring security questions:
- For accounts with very low security requirements – Some systems may have certain low sensitivity accounts where strict authentication controls are not needed. For example, an internal wiki or discussion forum may allow open registration without security questions.
- For temporary accounts – When creating accounts for short-term contractors, vendors, or during user acceptance testing, security questions may not be necessary if the accounts will only be active for a limited time.
- For automated service accounts – Accounts that are used by automated services and systems don’t require security questions since there is no interactive human login.
- For testing or development environments – It may be acceptable to relax authentication requirements in non-production environments to simplify testing.
However, when considering omitting security questions, the reduced account security and risk of abuse should be carefully evaluated.
Risks of adding users without security questions
Some key risks of allowing user creation without security questions include:
- Weakens account security – Security questions provide additional account protection beyond just a password. Without them, accounts are far more vulnerable to unauthorized access via stole or guessable passwords.
- Increases password reuse risks – Users are more likely to reuse the same weak passwords across accounts without security questions enforcing strong credentials.
- Enables automated account attacks – Attacks can easily create accounts en masse without answering security questions.
- Makes password resets difficult – Without security questions, users who forget their passwords have no self-service method to reset them and regain access.
- Reduces auditability – Security questions provide visibility into who is attempting to access accounts and from where.
Therefore, the best practice is to require security questions whenever possible when adding new users to reduce these risks. The next sections explain how to configure user creation without security questions, but also discuss mitigation options to consider.
Disabling mandatory security questions
The specific steps to allow creating users without requiring security questions will vary depending on the application or system. Here are the general guidelines for some common platforms:
Active Directory
By default, user account creation in Active Directory requires at least one security question to be specified. To disable this requirement:
- Open the Active Directory Users and Computers management tool.
- Right click on the organizational unit where new users will be created and select Properties.
- Select the Password Policy tab.
- Uncheck the “Require users to provide an answer to a password reset question before they can change their password” option.
- Click OK to save the updated password policy.
This will disable mandatory security questions for new user creation in that OU.
Linux useradd
The useradd command in Linux does not require any security questions by default when creating new users. Therefore, no action is needed to disable mandatory questions.
For example:
# useradd jsmith
Will create the user jsmith without any security questions set.
MySQL
In MySQL, security questions are stored in the mysql.user table. To allow creating MySQL user accounts without security questions:
- Set the password_reuse_history MySQL system variable to 0:
- Create new users without specifying the PASSWORD_REUSE_HISTORY option:
mysql> SET GLOBAL password_reuse_history = 0;
mysql> CREATE USER 'jsmith'@'localhost' IDENTIFIED BY 'pass123';
This will create the user without any password reuse history, which includes security questions.
Other platforms
Refer to the specific platform or identity provider’s documentation for steps to allow user creation without mandatory security questions. Most provide configuration options to disable this requirement.
Mitigate risks of no security questions
If business needs require allowing user creation without security questions, here are some ways to help reduce the risks:
- Enforce strong password policies – Require long, complex passwords to compensate for no questions.
- Limit high risk accounts – Only omit questions for lower sensitivity accounts when possible.
- Monitor for suspicious activity – Check logs regularly for signs of abuse or automated attacks.
- Enable MFA – Require multi-factor authentication via security keys or one-time codes.
- Prompt users to add questions later – Encourage or force users to add security questions after some initial grace period.
- Restrict permissions – Limit privileges granted to accounts without security questions.
Properly mitigating the removal of security questions requires layers of other protection to be effective.
Conclusion
Adding users without requiring security questions weakens account security and enables potential abuse. However, for accounts with minimal sensitivity that will be short-lived or have other authentication controls, it may be reasonable to omit security questions during user creation. This should only be done after thoroughly assessing the risks and implementing other compensating controls to reduce the account vulnerabilities introduced. Carefully evaluate each use case where mandatory security questions may need to be disabled and maintain proper precautions.