Question: What was your favorite teacher’s youngest child’s first pet’s name?
Answer 1: StupidQuestion TeacherPet Booyah
Answer 2: Green polka dots
See why, below
As part of account creation, many sites require you to answer secret questions. This isn’t only for security. It provides a self-service way for you to reset your password, which is easier for the company, and maybe for you, too. (Remember when you used to call customer care for things like this?) But security questions can be hard to design and use.
Problems with security questions
A system must present users with enough questions so they can pick a couple to answer and remember. Here are some questions and categories that can cause problems:
- “Where was your first kiss?” I’ve seen this make some people laugh, but embarrass others.
- “What’s your favorite …?” Preferences change often, so answers are hard to remember.
- “What was your phone number growing up? Let users know if hyphens, parentheses and spaces count.
- “What’s your youngest child’s first name?” If you have another child (or have none), this won’t work.
- Marriage dates, location or attendants. Not everyone is married.
- Pet names or types. Some people don’t have pets.
Here are some real examples: the first is from Yahoo.com, the second from BarnesAndNoble.com. How many questions could you answer now and remember later? How many just leave you scratching your head? [Images aren't uploading. Working on it. Sorry...]
And there’s the question of whether security questions are useful at all. GoodSecurityQuestions.com points out that
The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.
People who know you may know enough to answer your questions; people who don’t know you may be able to find out the answers (how many people on Facebook and LinkedIn know what schools you went to?).
I just came across an interesting example at the Minor League Baseball sites. When I indicated that I’d forgotten my password, I got this screen. Oddly, I had to pick which security question I’d answered and then answer it. As if I could remember that! [Added 25 Sep 2012]
Solutions for users answering questions
One of my most interesting ideas I came across is to answer a completely different question. You might use “green polka dots” when the question is “What street did you grow up on?” That’s harder for someone to guess, but harder for you to remember unless you use it everywhere (which isn’t secure).
Danah Boyd, writing on Apophenia, suggests combining a “snarky bad attitude phrase” with a clue from the actual question, plus a unique word. For example, she writes “when I’m asked the following question: What is your favorite sports team? My answer would be: StupidQuestion SportsTeam Booyah“.
Solutions for designers picking questions to include
Here are some tips for selecting questions for your application:
- It’s OK to have some questions that don’t apply to everyone, but have enough choices so everyone can comfortably use a few.
- Questions shouldn’t be so obscure that people have to write their answers down.
- Answers shouldn’t be too easy for someone to figure out.
- Answers should be unique — there should be just one.
- Answers should be stable over time, unlike favorite things.
- Have reminders about punctuation and case, both for initial and subsequent entries.
- Consider allowing people to specify their own questions in case none of the provided ones work.
Usability testing helps
It may seem trivial to test security questions, but it does help. We got some good feedback in a recent project and changed the questions in our list. There’s nothing like showing your work to real users.