Security Questions

Security Questions: Are They Really Secure and How Can You Improve Them?

Security questions are used to verify a person's identity, for example, when resetting a password or during important transactions. How do such security questions work, what are the pros and cons, how can you use them safely, and are there alternatives? We discuss this below.

What Are Security Questions?

A security question is one of the possible authentication factors you can use to verify someone's identity. In practice, there is often a distinction between three types of factors:

• Something you know, such as a password or a PIN code.

• Something you have, for example, your smartphone or a security key.

• Something you are, which refers to biometric attributes such as your fingerprint or iris.

A security question belongs to the first category, something the user knows. It works a bit differently from a password or PIN, which is either generated randomly or set by the user and can be hard to remember. A security question is a personal question that the individual should always remember the answer to. Examples include your mother's name or the name of your first pet. You generally do not forget those.

Security questions are often used as a last resort when someone has forgotten their primary password and other authentication methods are unavailable. Such a verification question is also sometimes used as an additional verification factor for sensitive actions, such as a financial transaction or a conversation with a physician. Before a conversation or transaction, you must first answer a security question.

Why Are Security Questions Vulnerable?

We already know that all knowledge factors are vulnerable. This applies to passwords and PINs, and security questions are even more risky. The benefit of a security question is that you do not need to store the answer anywhere, because it is something you naturally know. At the same time, the information is often not truly unique, and in today's era, much of your personal information is easy to find. That makes these questions vulnerable.

Types of Security Questions

There are essentially two types of security questions:

• Facts already recorded by the organization, such as your date of birth, customer number, or Social Security number. Many healthcare providers, for example, routinely ask patients for their date of birth at appointments.

• Questions where you, as the user, define the answer yourself. These range from personal preferences, such as your favorite color, to individual memories, such as the name of your first pet.

Items such as your date of birth are usually already known and can be used immediately as a security question without preparation. The other security questions must be prepared in advance. For example, when someone creates a user account, they are asked to set a security question. You can usually choose from several available questions, and you must set your personal answer as the user. When your identity must be verified later, the system presents the security question, and your response is compared with the original answer.

What Are Good Security Questions?

A good security question must meet several criteria. The answer must be hard to guess or discover and must not be publicly available. It is also important that the answer remains constant over time. Your elementary school or the name of your first cat never changes, but your favorite series can change when something new appears on Netflix. Unambiguity of the answer is also important. Erykah Badu may be your favorite artist, but will you still type that name correctly next year? Below are examples of poor and good security questions.

Examples of Poor Security Questions

Poor security questions are those whose answers are easy to guess or look up:

• Your Date of Birth: easy to find via social media. The same applies to items like ZIP codes and street numbers.

• Favorite Color: This is usually easy to guess. Emerald green or something more specific would be safer, but it is well known that most people choose blue.

• Your Mother's Name: This used to be a reasonable question, but today it's eait'so find online through genealogy websites.

• Your Favorite Sports Team: This is usually discoverable online, and guessing often gets you far; the New York Yankees are mentioned more often than a small local club.

Examples of Good Security Questions

Good security questions concern something that does not change, is hard to guess, and is not easy to find on the internet:

• Name of Your First Pet: Unless that pet still features prominently on your social media, such a name is hard to find.

• Favorite Teacher in Elementary School: That is usually only something you would remember.

• Your First Car: most people can remember this without difficulty. Make sure to ask for the make and model.

Are They Secure To Use?

On their own, security questions are always vulnerable. The strength of a security question is that you do not forget the answer because it relates to you as a person. That also makes a security question inherently less secure. Many answers can be obtained through social engineering, guessed outright, or brute-forced. For every business process, we must therefore ask whether there is an alternative to a security question.

At the same time, the reality is that security questions cannot always be avoided. For example, when legacy systems are still in use, they include security questions for password recovery or verification. It can also serve as a last resort when modern methods are unavailable; if someone has lost both the password and the phone, the security question may be the only option.

How Do You Make Them More Secure?

In theory, you can make security questions more secure by using good questions. You can also craft smarter answers. Especially for experiential questions and personal preferences, nothing prevents you from making the answer a bit more complex, for example, with a number. If your elementary school was 'JongLe'en', nothing stops you from making it 'JongLe'en123'. You also do not need to use factually correct answers; you can make something up. The risk, then, is that you forget the answer, which is exactly what a security question is intended to prevent.

Best Practices

We've gathered several best practices for using security questions:

• Use unique answers. By default, you require a different password for each application. Use different security questions for different applications as well.

• Consider using complex or fake answers. This makes them unique and much more secure. It does make remembering the answers harder. You can address this by storing security question answers in a password manager.

• Avoid oversharing personal information on social media. This is important not only for your security questions but also, in general. Digital fraud almost always starts with building a personal profile from publicly available online information.

• Use multiple questions. Security questions are relatively vulnerable, but two questions are more secure than one. This is usually not a problem because these verification questions are mainly used in exception cases, such as password recovery.

• You must securely store your security question answers just as you would passwords. Do not store them in plain text; store them as a hash.

• Define quality requirements for answers as well. For example, set a minimum length and block commonly used terms such as 'password', 'quantity', and '123'.

Other Alternatives To Security Questions

The best advice is to minimize the use of security questions. Fortunately, that is increasingly possible.

We began this article with the different authentication factors. In most digital environments, you can now apply multiple factors. Our HelloID Access Management functionality supports Multifactor Authentication with a smartphone authenticator or a YubiKey security key. Password recovery with a security question is then no longer required. Users simply receive a recovery link by email, which you can confirm with your smartphone or a security key for additional verification.

We also aim to minimize the use of passwords and make them more user-friendly and more secure. As a result, you will reduce the frequency of password resets. These are the most important measures:

• IAM platforms such as HelloID support Single Sign-On, which lets you sign in with a single master password. From there, you gain passwordless access to all your business accounts.

• For the passwords you still need to remember, use a password manager. With such a digital vault, you only need to remember one password, and you can retrieve all other passwords with one click. You cannot lose them anymore.

• Finally, more applications support passkeys, which use secure public-key cryptography and biometric authentication. Passwords are not needed in that case at all.

In modern IAM environments, security questions are increasingly unnecessary. Our access management functionality, together with identity providers such as Entra ID, provides secure, user-friendly access protection through Single Sign-On and Multifactor Authentication. We would be happy to tell you more.

Related Articles

• How to Prevent External Access to Key Files
• How a successful password management solution would look in your organization
• SSRPM Saving the Helpdesk Time
• Helpdesks Receive More Than 100 Calls Per Week. How Can This Number Be Reduced?