I have recently come across a security layer implementation on several websites, specially where you may have your PII (personally identifiable information) stored. I am curious to understand how it is going to help the hackers. The way the instructions were given to
1. setup a user id and password
2. answer one or three questions – a way to remember and recognize you as you.
3. provide an image or a text that you know and possibly an information that you provide the website to recognize you or for you to recognize you are logging into the right site.
4. when you login the next time you would enter the username and the password (provide your credentials) and proceed further. At this time you would be prompted with the key (either text or an image) that you had picked during setup process, and you proceed further saying you recognize it.
well, unless otherwise I missed reading the instructions right, this might help for an end user to trust the site so possibly avoid phishing situation to an extent, but this may not help for a website to know if it is a genuine user logging in. Applications provides the clear text key or an image, and the user can proceed further.
Do you have any insights as whey this kind of authentication is used?