What do your mom's maiden name, first pet, and the year you met your significant other have in common?
The last time you had to recall one of these personal details, it was probably in the context of a security question.
Usually, a security question is asked as a secondary measure to verify your identity when attempting to gain access to a private account. Its purpose is to add an extra layer of security, assuming that an unauthorized user will not answer correctly and be denied entry.
You may be asked a security question over the phone or after logging into an account online. Security questions are simple to set up and convenient to answer, which is probably why they are still commonly used by businesses despite the consensus among cybersecurity experts that they are not secure.
Whether creating or answering security questions, you can mitigate their risks by understanding their most common vulnerabilities and best practices.
What are security questions?
Security questions are a form of authentication. A person on the phone or a prompt on your screen administers the questions to verify your identity. The utility of security questions hinges on the assumption that you are the only person who will be able to answer the question correctly.
User-defined security questions
User-defined questions are like a questionnaire. You, as a user, participate in setting them up for your account. You can choose which questions you want to answer, usually from a list, and write the answers yourself.
These security questions can be open-ended and usually focus on personal information about your family or past.
System-defined security questions
System-defined security questions are more like a pop quiz. The asker chooses the question and already knows the correct answer.
Your bank might use system-defined questions when you call to speak to a representative about your account. Because your bank has a wealth of your personal and financial information readily available, system-defined questions are easy to facilitate.
For example, “what was your last purchase?” or “who else is authorized to withdraw money from your account?” make excellent security questions. They are easy for you to answer and very difficult for others to guess.
The focus of this article is on the more common user-defined security questions, their vulnerabilities, and how to improve their security.
Why security questions are not secure
If you have ever heard of the “password problem,” the security vulnerabilities of security questions will be familiar to you. In short, the problem is a combination of poor cyber hygiene and high susceptibility to hacking.
Users tend to choose passwords that are easy to remember, which also end up being very easy to hack. Security answers, too, are likely to be selected in a rush and to prioritize memorability.
In sum, like passwords, security questions place too much onus on users to protect their privacy. In many ways, security questions are even more vulnerable than passwords. Here's why.
Businesses choose the same security questions
Because the same personal questions have the same answers, repeating questions across websites means that if your answer is compromised, for example, in a data breach, it can unlock access to more than one website or account at once.
Security questions' answers are too easy to hack
As you may already suspect, the premise that you alone can answer the security question correctly is flawed. For a motivated intruder or cybercriminal, finding the answer that unlocks your account can be a piece of cake.
Security questions' answers can be discovered by:
Conventional hacking techniques. Like any personal data, intruders can use social engineering like phishing to breach your data or your security answers themselves.
Guessing. Playing the odds or using context clues can make the answers easy to guess, especially when they draw from a limited pool of possible responses.
Sleuthing. If your answers draw from public information, cybercriminals can sniff them out with some stalking.
Family. Loved ones, frenemies, or exes may already know your answers because they know your life story.
A security question is like a password prompt with many clues baked in — giving too much information away to a prospective hacker. The question will likely reveal the format (alpha or numeric) and may even point to a narrow range of answers.
Some security questions are better than others
As mentioned above, security questions fail to meet an adequate standard of security. Nonetheless, some questions are better than others, and using better questions can mitigate the risks of this authentication method.
What makes security questions more or less secure is measured by the answers they elicit from users. More secure answers follow roughly the same guidance as strong passwords. They should be unique and hard to guess.
Examples of poor security questions
A poor security question is either too difficult for the user to answer correctly or too easy for a criminal to guess.
Poor security question
What makes it bad?
What is your mother’s maiden name?
Too common.
Like passwords, it's a bad idea to use the same questions and answers across sites. If your question and response are breached, they can be used to unlock multiple accounts.
When is your birthday?
Not private.
Crooks can find this information with some digging on social media or through record sites.
When is your wedding anniversary?
Not applicable.
Questions should be as broadly applicable as possible so everyone can use the question for security purposes.
What is your favorite ice cream flavor?
Not consistent.
Questions of taste can change over time, leaving users struggling to recall their answers.
What is your favorite color?
Too predictable.
To be sure, the list of color names is unlimited. However, users are generally more likely to choose “blue” or one of seven rainbow colors over “coquelicot.”
Examples of better security questions
A good question has all the characteristics lacking in a poor security question. A good security question is easy for you to answer but difficult for a cybercriminal.
Better security question
What makes it better?
What is the name of your favorite work manager?
Unique.
A good question should be original, not your stock standard security question.
Who is your favorite movie villain?
Private or otherwise undiscoverable.
It's unlikely that a user will document or publish this information.
What is your maternal grandmother’s maiden name?
Applicable.
Universal applicability is a challenge and best hedged by multiple question options. However, the questions should be as applicable to the broadest number of people as possible.
What street did you live on in your first year of high school?
Constant.
Questions about the users' history are static.
What was the name of your favorite stuffed toy from childhood?
Unpredictable.
Questions should have as many different responses as possible.
A good security question is a balancing act. Questions that encourage more secure, more unique, and more variable answers can risk being difficult for users to remember. Ideally, in addition to the guidance above, the questions should prompt memorable and straightforward answers.
Best practices for safe(r) security questions
You can make the most of security questions by implementing these best practices.
For creating questions (for businesses)
Security questions aren't a bad idea in the context of a secondary safeguard. In the long run, businesses should begin transitioning to a more secure second authentication factor, but in the meantime, security questions are better than nothing.
Top tip: Help users practice good security question hygiene
Your security questions protocol should make it as easy as possible for users to practice secure behavior. Use the following measures to set your users up for success.
- Use multiple questions and let users choose their own.
- Create “better” questions that reflect the characteristics outlined above.
- Restrict users from choosing common bogus answers such as “123456.”
- Prompt users to renew their questions and answers regularly.
Finally, as part of a more holistic cybersecurity program, businesses should keep users' sensitive data safe with end-to-end encrypted storage to reduce the risk of personal data breaches.
For answering security questions (for users)
Knowing what you now know, you may choose an alternative second authentication factor when you have the choice. However, when you don't, you can practice better security question hygiene by choosing safer questions that result in harder-to-guess answers.
Top tip: Use false information
Since security answers have similar vulnerabilities to passwords, they can be secured in a similar manner.
Treat your security answers like passwords. Make them unique and consist of a random series of alphanumeric characters and symbols at least twenty characters long. If the answer format is restricted, provide a “wrong” answer.
While it's a significant security step, this method carries a usability danger: Beware of the risk that you will forget either the false answer or “password.”
To prevent this, you can save your question’s answer in your password manager.
Safer alternatives to security questions
Technologists continue to develop new and more reliable ways of verifying individuals' identities, designed to streamline authentication and thwart cyberattacks. Depending on how you categorize the many types of authentication, you can come up with up to eight different types or “factors.”
For now, let's stick to the basics. The most elemental way of categorizing authentication factors is as follows:
- something you know
- something you are
- something you have
Passwords and security questions fall into the “something you know” category. Here are some of the popular alternatives to this authentication type.
Biometric authentication
Biometric authentication uses your unique physical characteristics to identify you; it is “something you are.” Fingerprint and facial recognition are the most common biometric identifiers.
The benefit of using biometric authentication is that it is unique to you, hard to steal, and is always with you. However, you should be aware of the risks associated with tying your immutable physical characteristics with access to your accounts.
Passwordless authentication
Passwordless authentication has been the subject of much discussion recently, thanks to efforts by the FIDO (Fast Identity Online) Alliance, a global coalition of which NordPass is a member. The organization works on reducing the world's reliance on passwords.
Passwordless authentication is a broad category of authentication defined by what it isn't. Recognizing the vulnerabilities in “something you know” authentication types, like passwords and security questions, passwordless authentication relies on a combination of other factors, focusing on ease of use.
A standard passwordless authentication method includes “something you have,” such as a physical token. Yubikey is one example.
Multi-factor authentication
With the understanding that no single authentication type is bulletproof, multi-factor authentication uses multiple factors to verify your identity. Using multiple factors at once is like taking the Swiss cheese approach to cybersecurity. Though each authentication method may be imperfect, they become much more robust when used together.
Multi-factor authentication is a cybersecurity best practice and continues to top the list of cybersecurity recommendations for general guidance and regulatory compliance.
Notably, the strength of this method relies on its diversity. When multiple authentication methods are stacked but not varied, like passwords and security questions, this is called two-factor authentication.
To create multi-factor authentication, add “something you have” or “something you are” to password or security question authentication.
Bottom line
Security questions are susceptible to fraud, making them an imperfect authentication factor. However, because they are easy to implement and businesses are facing mounting pressure to increase cybersecurity, chances are that security questions aren't going anywhere any time soon. And, to be clear, adding them as a second factor is better than nothing.
For users, you can overcome the most common vulnerabilities to security questions by essentially treating them like passwords and storing the (false) answers in your password manager.
Likewise, businesses that still need to move toward more secure authentication methods can encourage safe behavior from their users by following best practices and performing data security due diligence.
