First published: 31st May 2008
Allan Dyer
A recent article and a website advocate improving the quality of "security questions" for web-based customer self-service password resets, but are any questions really suitable for global, inter-cultural use? Personally, any information about me that is memorable and I would be willing to tell to a website is probably not a secret, and if it is not memorable, I won't remember it either, making it useless as a "security question".
Below I list some of the questions that goodsecurityquestions.com claim are "good", with thoughts on their limitations. Of course, a developer can provide a choice of "good" questions for users to choose between at registration, but the number of choices suitable for particular users may be very restricted, once cultural, social or other factors are considered:
- What was your childhood nickname? Might be researchable from a friend's social networking page, the user may not realise that.
- What street did you live on in third grade? Culturally specific to North America... how old is "third grade"?
- What is the middle name of your youngest child? Limited to users with children with an odd number of names. The answer may change over time, when a new child arrives. Cultural perception may change the name order - am I Allan George Dyer, or DYER Allan George, which was my mother thinking when she registered?
- What was your childhood phone number including area code? (e.g., 000-000-0000) Don't try validating the number format, it is North American specific. I have no idea what the area code was for my home town when I was young, but I am fairly sure it is not the same now.
- What was the name of your first stuffed animal? Guess "Ted" or "Teddy" first. How large is the vocabulary of a 2-year old?
- What are the last 5 digits of your driver's license number? Which driver's license? My Hong Kong license number is the same as my Hong Kong ID card number, which is information I refuse to use for authentication. I cannot remember my UK driver license number, but I think it includes letters as well as digits.
- What was the name of your elementary / primary school? Easily researched from social networking sites.
So even "good" questions may be limited in their applicability. Developers should consider the risks involved for their application.