What makes a good security question? You can design your own good security questions with these five criteria.
The answer to a good security question has the following characteristics:
- Safe: cannot be guessed or researched
- Stable: does not change over time
- Memorable: can remember
- Simple: is precise, easy, consistent
- Many: has many possible answers
Once you review these criteria, it becomes quickly evident that there are few if any “good” security questions. If you must use security questions to reset passwords, use the following criteria to assess the quality of a question.
1. Safe — Can’t Guess or Research
The most important characteristic of a good security question is security – it does not compromise the very thing it is trying to protect. A good security question:
- cannot be easily guessed whether or not the attacker knows the user (family member, close friend, relative, ex-spouse, or significant other)
- cannot be easily researched – Facebook, G+, other social media, blogs, or research sites
2. Stable — Doesn’t Change
The answer to a good security question doesn’t change over time.
- Where did you vacation last year?
- Where do you want to retire?
- … work or personal address, employer, nearest relative, phone number, etc.
- What is your favorite… anything
One of the most common and worst type of question is “what is your favorite….” Current favorites can change. But historical favorites may be acceptable, because they can’t change. For example, “what was your favorite sport in high school?” As long as the person is no longer in high school, that shouldn’t change.
A security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without looking up a reference or having to write down the answer.
- What is your driver’s license number? (I haven’t memorized mine, have you?)
- Car registration number (this may be easy for others to find on the web anyway)
- What was your first car, favorite elementary school teacher, first kiss, etc.
Childhood questions can be difficult for older people. Try to use questions that are more prominent or memorable.
4. Simple and Definitive
The question should be asked so the answer is 1) definitive, 2) simple and precise, 3) will consistently be answered in the same way, and 4) is NOT case sensitive.
The question should require a specific answer.
- What was your first car?
Hmm, which is it: Ford, Maverick, Ford Maverick, 1971 Ford Maverick, 71 Ford, etc. (ok, that dates me and probably leaves a mark on my judgment too – but, honestly, I couldn’t remember what my first car was – had to ask my wife).
- What was the make and model of your first car? (Some may not understand “make” and this could be on social media or blogs)
A very commonly used question is: What is the name of your pet? Which pet? dog, cat, fish, rat, snake…. hmm, do people name their snakes?
Simple and Precise Format
The format of the answer should be clear. Don’t ask “When was your anniversary?” The answer could be 1990, Aug 1990, August 1, 1990, etc. Instead ask, “What month and year did you meet your spouse (e.g., January 1999)?” (Not a good question, because there are too few possible answers). It may be helpful to providing a format example with the question to indicate how the user should answer.
- What month were you born?
Answers could vary (January, Jan, 01) and users may not remember when they have to answer.
- What time of the day was your first child born? (hh:mm)
(this is not a great question because most people won’t know that detail)
Not Case Sensitive
Don’t validate case on the text field. The worst thing is to come up with a great question and then validate case sensitivity. I’ve sat and wondered if I capitalized the name of my elementary school.
With these guidelines, here’s how to make a bad question better.
- What is your brother’s birthday?
Better example (but not great because not enough possible answers):
- What is your oldest sibling’s birthday month and year? (e.g., January 1900)
A good question will have many possible answers; the more possible answers, the better the security. It’s not just a matter of someone guessing, but also trying to stop the automated attempts. Hundreds of thousands or more options are better than a few hundred.
- To what country did you travel as a child?
(There are only a few answers for most people)
- What is the first name of your best friend in high school?
User Written Questions
Some site registration forms let the user write the question and then supply the answer, like this example.
After looking through this website, it should be clear that there are few if any good security questions and they are not simple to create. Permitting the user to create a good question may increase user frustration and potential for security breach. If IT professionals have difficulty writing good questions, how can we expect users to create a good question within moments.
My recommendation: don’t let users write their own questions. You’re the expert, that’s what you’re paid for.
Not For Everyone
No one question works for all people.
People need enough questions to select those that will work for them. Therefore, it is best to offer 2-3 sets of questions (more if site data is more sensitive) with a variety of questions. I recommend offering THE SAME 15-20 questions in each of three sets as seen below. As the user selects a question in the first set, eliminate that question in the second and third sets. The same action occurs for the second set. You need to eliminate previously selected questions from the subsequent question sets. Here’s a sample design of the user form to set up questions.