Security questions are well known/widely considered to decrease security or otherwise create more problems (e.g., remembering gibberish), but sometimes I am required to have and answer them anyway. While that has been discussed many times before so I won't rehash the debate here, I'm a fan of passwords that are both secure and can be easily (re)generated so what I would like to do is to answer security questions with a portion of my pgp signature for the questions themselves. However, this leaves me with two issues I'm not confident about:
- if there is anything I'm missing that may actually make this less secure or less reproducible (different gpg versions or default algorithms, etc?) than I might think it to be, and
- where to extract the portion of the signature from, considering anything like the pgp header and the fact that the full signature is too long to realistically use.
Currently, if I use echo -n 'What is the air speed velocity of an unladen swallow?' | gpg -s --clearsign
, I get:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What is the air speed velocity of an unladen swallow?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJaUnsoAAoJEAsnyIE5nAz6NLQP/2Yb33we/32eyWhHoCcYpzQI
0Si5AD+BJCrpcKgAehKdkx/eaHPKfTX55cxT23qk14XiLwnDqSsK/oPazuUwUIoP
brWkgqXj2G2YhQkBKe/WaEafbi3J7kmeddrmpaFrAkKkYYdFcC8zXtH9YcpM5OB2
kMava8oO0K6exoY4r2Fa9mIiOHrFZXkbtY9NuOvxhhOLmAeQolJ7WBdc+mt/Pmwv
0YIWlJhLgxxqqtXTlHXNNbatqkClAE1DB48FyyP3Mi8P8Ny+3z6ntDtwZezF+Lc4
67hWsUzjZ24E4Ww0CLquFTomNscuTFJRnAKJE02ctDixuz17zZxaliQBXdTrA43k
OUr+d9P2OdJXNPA0H9GQV9T+6CrHXM3dRXzrpSTrXzg7ZM8EWDB2b9iPp5b60KmE
/IwG0ijWH3B90gXJeGW2KeUm8qhH6AYBeXG+Yv2+9tB6T7KYETMku+FKgh61O6MJ
hYnQ7YMRhf8WjZw6m+jZ3knn0tIYqwszlJ7nJ0qlYlMsY9YzJkvKTpGQLHxQqDJv
ZraIbgPJuPJ1uT+qbbWk+QgOpehAyAFC/3aI57eqI/3poKl2/2f3QMsw7yRPnN/s
HeIvXhEVBqcOb7pfI3i6pT9f01QG5u16/vAKf6pq9WOuVTCeH5CP0t0xZ3eF+kJ+
m4C4rL/Q+uSexZL9IQ07
=jh/a
-----END PGP SIGNATURE-----
What I would like to do is take maybe a 16 character long snippet of the signature to use as my answer that would be in a consistent, easily found location so that I can reliably reproduce my answers to all future security questions, but where should that be? At least the first 18 characters seem to be the same regardless of input, but that alone is not enough to convince me to just discard the first 18 and use the next 16.
Can anyone address the above two concerns?
UPDATE
This question was originally hinged more on PGP being perceived as the potential solution to my problem, which was shown to not be suitable for the reproducibility requirement. However, I still like the idea of treating security questions similar to challenge-response authentication with the security benefits typically gained through PKI approaches (e.g., verifiability, non-repudiation, etc). In absence of such a solution, HMAC may be a viable alternative, but it reduces itself to being more of just another password (something I know) instead of a publicly verifiable response based upon something tied to my identity like a key (something I have). While this isn't quite an MFA question, I would like to know if there are any other possible approaches that could get me closer to what I had imagined?