What makes a good security question? You can design your own good security questions with these five criteria.
The answer to a good security question has the following characteristics:
- Safe: cannot be guessed or researched
- Stable: does not change over time
- Memorable: can remember
- Simple: is precise, easy, consistent
- Many: has many possible answers
Once you review these criteria, it becomes quickly evident that there are few if any “good” security questions. If you must use security questions to reset passwords, use the following criteria to assess the quality of a question.
1. Safe — Can’t Guess or Research
The most important characteristic of a good security question is security – it does not compromise the very thing it is trying to protect. A good security question:
- cannot be easily guessed whether or not the attacker knows the user (family member, close friend, relative, ex-spouse, or significant other)
- cannot be easily researched – Facebook, G+, other social media, blogs, or research sites
2. Stable — Doesn’t Change
The answer to a good security question doesn’t change over time.
- Where did you vacation last year?
- Where do you want to retire?
- … work or personal address, employer, nearest relative, phone number, etc.
- Favorite anything
One of my biggest complaints is “favorites.” Any question that asks for a favorite is a bad question. The list of favorites is endless and worthless because things change.
A security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without looking up a reference or having to write down the answer.
- What is your driver’s license number? (I haven’t memorized mine, have you?)
- Car registration number (this may be easy for others to find on the web anyway)
- What was the name of your first pet?
- What was your first car, favorite elementary school teacher, first kiss, etc.
- But don’t use questions that go back to childhood, or for that matter last year for someone like me.
4. Simple and Definitive
The question should be asked so the answer is 1) definitive, 2) simple and precise, 3) will consistently be answered in the same way, and 4) is NOT case sensitive.
The question should require a specific answer.
- What was your first car?
Hmm, which is it: Ford, Maverick, Ford Maverick, 1971 Ford Maverick, 71 Ford, etc. (ok, that dates me and probably leaves a mark on my judgment too – but, honestly, I couldn’t remember what my first car was – had to ask my wife).
- What was the make and model of your first car? (Some will not understand “make” and this could be on social media or blogs)
A very commonly used question is: What is the name of your pet? Which pet? dog, cat, fish, rat, snake…. hmm, do people name their snakes?
Simple and Precise Format
The format of the answer should be clear. Don’t ask “When was your anniversary?” The answer could be 1990, Aug 1990, August 1, 1990, etc. Instead ask, “What month and year did you meet your spouse (e.g., January 1999)?” (Not a good question because there are too few possible answers). Providing a format example in the question, indicates how the user should answer.
- What month were you born?
Answers could vary (January, Jan, 01) and users may not remember when they have to answer.
- What time of the day was your first child born? (hh:mm)
(include an example of the format in the question)
Not Case Sensitive
Don’t validate case on the text field. The worst thing is to come up with a great question and then validate case sensitivity. I’ve sat and wondered if I capitalized the name of my elementary school.
With these guidelines, here’s how to make a bad question better.
- What is your brother’s birthday?
Better example (but not great because not enough possible answers):
- What is your oldest sibling’s birthday month and year? (e.g., January 1900)
A good question will have many possible answers; the more possible answers, the better the security. It’s not just a matter of someone guessing, but also trying to stop the automated attempts. Hundreds of thousands or even millions of options would be better than a few hundred or thousand. But not too many questions will have millions of possible answers, which leads us back to… are the any “good” security questions?
User Written Questions
Some site registration forms let the user write the question and then supply the answer, like this example.
After looking through this website, it should be clear that there are few if any good security questions and they are not simple to create. Permitting the user to create a good question may increase user frustration and potential for security breach. If IT professionals have difficulty writing good questions, how can we expect users to create a good question within moments.
My recommendation: don’t let users write their own questions. You’re the expert, that’s what you’re paid for.
Not For Everyone
No one question works for all people.
People need enough questions to select those that will work for them. Therefore, it is best to offer 2-3 sets of questions (more if site data is more sensitive) with a variety of questions. I recommend offering THE SAME 15-20 questions in each of three sets as seen below. As the user selects a question in the first set, eliminate that question in the second and third sets. The same action occurs for the second set. You need to eliminate previously selected questions from the subsequent question sets. Here’s a sample design of the user form to set up questions.