Two-Person Authentication: Strengthening the Weakest Link in Cybersecurity
techbreakdowns.comTo be frank: the company im working for as an external already does this. this is the flow: 1. I call the hotline and give them my username 2. They ask me an security question, if set in an special portal(i can set any question as long the answer is long enoigh and can be spoken) 3. they contact the manager if the question was not set. He gets an word that acts like the answer for the security question.
Most of the typical things we turn to for security questions _could_ be easily figured out if you were the target in an attack.
I guess what I believe should happen is #3, always. This second person is more likely to spot when something is awry with the request.