Alright, now the "book is open" so to speak, and we have Swtors CSO looking at this, I'd like to personally get some assurance here..
1. Userdatabase with logins, passwords and security key answers.. Are they hashed using md5, sha-(1-512) or any other fast "off the shelf" crypto algorithm (yes or no answer - no need to feed info)? Are they salted?
2. Do you use multi factor authentication before allowing authorization attempts? Does the level of authorization required change based on the provided authentication "level".. Basically, do you have differing levels of authentication?.
3. This is mostly me being curious. Why don't you require all users to use 2-factor? With the current reliance on username/password schemes - even with security questions, the only way forward is at least 2-factor.
My hopes for answers are
1. No, we use a high work factor custom password encryption hash.
3. We wish we could, but politics say 2-factor is not user-friendly and so..