Security questions: helpful self-service feature, user problems or security risk?

Question: What was your favorite teacher’s youngest child’s first pet’s name?
Answer 1: StupidQuestion TeacherPet Booyah
Answer 2: Green polka dots
See why, below

As part of account creation, many sites require you to answer secret questions. This isn’t only for security. It provides a self-service way for you to reset your password, which is easier for the company, and maybe for you, too. (Remember when you used to call customer care for things like this?) But security questions can be hard to design and use.

Problems with security questions

A system must present users with enough questions so they can pick a couple to answer and remember. Here are some questions and categories that can cause problems:

  • “Where was your first kiss?”  I’ve seen this make some people laugh, but embarrass others.
  • “What’s your favorite …?” Preferences change often, so answers are hard to remember.
  • “What was your phone number growing up?  Let users know if hyphens, parentheses and spaces count.
  • “What’s your youngest child’s first name?”  If you have another child (or have none), this won’t work.
  • Marriage dates, location or attendants.  Not everyone is married.
  • Pet names or types.  Some people don’t have pets.

Here are some real examples: the first is from Yahoo.com, the second from BarnesAndNoble.com. How many questions could you answer now and remember later? How many just leave you scratching your head? [Images aren’t uploading. Working on it. Sorry…]

Some of the seret questions at Yahoo.com

Some of the secret questions used at BarnesAndNoble.com

And there’s the question of whether security questions are useful at all. GoodSecurityQuestions.com points out that

The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.

People who know you may know enough to answer your questions; people who don’t know you may be able to find out the answers (how many people on Facebook and LinkedIn know what schools you went to?).

I just came across an interesting example at the Minor League Baseball sites. When I indicated that I’d forgotten my password, I got this screen. Oddly, I had to pick which security question I’d answered and then answer it. As if I could remember that! [Added 25 Sep 2012]

At the Minor League Baseball site, you have to remember which question you answered

At the Minor League Baseball site, you first have to remember
which question you answered and then remember the answer.

Solutions for users answering questions

One of my most interesting ideas I came across is to answer a completely different question. You might use “green polka dots” when the question is “What street did you grow up on?” That’s harder for someone to guess, but harder for you to remember unless you use it everywhere (which isn’t secure).

Danah Boyd, writing on Apophenia, suggests combining a “snarky bad attitude phrase” with a clue from the actual question, plus a unique word. For example, she writes “when I’m asked the following question: What is your favorite sports team? My answer would be: StupidQuestion SportsTeam Booyah“.

Solutions for designers picking questions to include

Here are some tips for selecting questions for your application:

  1. It’s OK to have some questions that don’t apply to everyone, but have enough choices so everyone can comfortably use a few.
  2. Questions shouldn’t be so obscure that people have to write their answers down.
  3. Answers shouldn’t be too easy for someone to figure out.
  4. Answers should be unique — there should be just one.
  5. Answers should be stable over time, unlike favorite things.
  6. Have reminders about punctuation and case, both for initial and subsequent entries.
  7. Consider allowing people to specify their own questions in case none of the provided ones work.

Usability testing helps

It may seem trivial to test security questions, but it does help. We got some good feedback in a recent project and changed the questions in our list. There’s nothing like showing your work to real users.

About these ads

6 Responses to Security questions: helpful self-service feature, user problems or security risk?

  1. Ron Perkins says:

    Interesting, I’ve always wondered what to do about those questions!

  2. Ward says:

    Real-world question from a forgotten site: “What was your least favorite childhood nickname?”

    Dredging up painful memories, whether or not one answers the question, seems like a poor idea.

    • Paul says:

      Most security questions are a security risk more severe than weak passwords. In many cases, the answers are easily enumerable (e.g. the make of you first car). The best design would allow the user to decline use of security questions.

  3. Tim says:

    Forget things people who know you could sneer or find out. I’m always surprised at how many sites ask things which are a matter of public record, like mother’s maiden name or place of birth.

    • Hal Shubin says:

      Good point. Could it be that they don’t take it seriously? But large companies must have security officers these days.

      I didn’t look into how long ago secret questions started, and whether it goes back to a time when personal information wasn’t so readily available. That would be good to look into.

Leave a reply. We'd love to hear from you.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 37 other followers