What Are Security Questions?
If you've registered at a website or perhaps built a registration form for a website, then you are probably familiar with questions like "What is your mother's maiden name?" or "What is your pet's name?" These are security or challenge questions and are generally used in two ways:
- Password retrieval/reset: if you forget your password, the website will ask a question and if answered correctly, you'll get or reset the password.
- Sign-in verification: some websites occasionally display a security question during sign-in as a second level of verification.
Security questions reduce support costs by allowing users to retrieve their password rather than contacting support. Paul Laudeman comments that self-service password resets can save companies $51 to $147 per call.
Security questions are safer, than trying to verify callers' identify over the phone.
Sign-in verification can increase security over the routine user name/password option.
The term "security questions" is a misnomer. Security questions create a potential hole or breach in security by providing ways for unauthorized users to gain access if the answer can be discovered. Hopefully, security experts will find better ways of retrieving forgotten passwords or verifying identification during login, but until then security questions will likely prevail.
Thus, security questions have both benefits and liabilities. Poor questions create security breaches and confusion and cost money in support calls. Good security questions can be useful in the current environment, but are not common.
However, there really are NO GOOD security questions; only fair or bad questions. "Good" gives the impression that these questions are acceptable and protect the user. The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.
Social networking (Facebook, MySpace, Twitter, personal blogs, LinkedIn) are creating more of a risk for security questions. People are generously telling all about themselves, their history, likes, favorites, and more. It easier now to find information on people.
Good Security Questions
Most websites that register users, use some form of security questions. But my experience is few websites use GOOD security questions. Reality is, there are no GOOD security questions, but these ideas present the best that is available.
Good security questions have four common characteristics. The answer to a good security question:
- cannot be easily guessed or researched (safe),
- doesn't change over time (stable),
- is memorable,
- is definitive or simple.
It's difficult to create questions that meet all four characteristics which means that some questions are good, some fair, and the remaining are poor.
Last updated: 2/7/10