Security questions are a common method of identity authentication—one you’ve probably encountered before. When creating an account or signing up for a service online, users will confidentially share the answers to secret questions with a provider.
Typically, these security questions and answers are used for self-service password recovery—inputting the correct answer verifies the user and allows them to reset their password—though you can also implement security questions as an additional authentication factor for logins.
However, we don’t advise relying on security questions alone for either of these use cases. While they’re simple to set up, security answers are hackable, guessable, and vulnerable to theft in much the same way that passwords are. That said, if you’re still interested in protecting your organization with security questions, this blog post will help you understand what constitutes a good security question and answer, and the best practices for using them effectively.
Types of security questions
There are two main types of security questions:
- User-defined questions let users choose a question from a set list that they would like to provide an answer to. While it’s easy for developers to implement these questions as part of the account creation process, they’re only effective if the user chooses a strong answer that’s hard to discover.
- System-defined questions are based on information that the service provider already knows about the user (e.g., address or date of birth). These questions rely on the system holding sufficient information about the user—and on the answer being difficult for a threat actor to find out.
We’ll explore the viability of both question types throughout the rest of this post—but first, let’s examine what makes some security questions better than others.
What makes a good security question?
Security questions must have the following characteristics if they’re to positively contribute to secure authentication:
- Confidentiality: No one else should be able to guess, research, or otherwise obtain the answer. This is the most important trait for an answer to have—if the answer is easy to find out, then it sabotages an account’s security. If a piece of information is known to anyone around the user or can be found online, it isn’t confidential.
- Memorability: Users need to remember the answer, potentially for a long time after creating an account. Ideally, the user can immediately recall the answer; they shouldn’t have to write it down or look it up.
- Consistency: The answer to the question can’t change over time. It’s best to avoid answers that are only guaranteed in the moment, like favorites and opinions—instead, think about historical facts or permanent pieces of information.
- Simplicity: The answer should be precise, clear to the user, and easy to give. Questions with ambiguous answers, or answers that require case sensitivity or particular formatting can be difficult to keep track of.
- Multiplicity: There should be multiple possible answers to the question. The more possible answers, the better the security—it’ll be less likely that someone manages to guess or brute force the answer. Many service providers will even lock users out of an account after a number of failed attempts.
List of security questions
Keeping the above principles in mind, we’ve created a list of common security questions. Read on to find out what makes some more secure than others.
Examples of bad security questions
These security questions are considered bad because they are impractical or open to exploitation:
Ineffective Security Question | Rationale |
|---|---|
What is your date of birth? | Easy for others to guess—it’s not confidential. |
What was your favorite school teacher’s name? | Childhood topics may be too distant for people to remember. |
What’s your favorite movie? | This is likely to change over time. |
What was your first car? | It’s ambiguous what level of detail the answer should have. |
What is your astrological sign? | There’s a narrow range of potential answers, and it’s something that others could guess or discover. |
Examples of good security questions
The above questions all fall short on security or usability for one reason or another. Below, we’ve revised the list of security questions, making them more practical or protective:
Effective Security Question | Rationale |
|---|---|
What city were you born in? | Generally speaking, this fact is less commonly known, making it difficult for others to guess. |
What is your oldest sibling’s middle name? | Typically, this is something intimately known between siblings and difficult for others to research. |
What was the first concert you attended? | The answer isn’t prone to change. |
What was the make and model of your first car? | The question asks for precise and specific details. |
In what city or town did your parents meet? | This is a personal detail. And since there are many potential answers, it’s harder for people to guess. |
Are security questions good to use?
Security questions are easy for organizations to implement—plus, they’re familiar and effortless for users. But the benefits end there.
In an ever-sophisticated threat landscape, security questions have had their day. They offer low assurance protection, and even the sample security questions we provided above are open for others to exploit through guesswork, social media, and online research. In addition, both user- and system-defined security answers are as vulnerable to being stolen in a data breach or phishing scam as passwords are—a significant reason why security experts advocate for their disuse.
In kind, we can’t recommend security questions as your main method of account protection. As part of a broader security strategy, we think good security questions can work as an additional method of authentication, but with a few stipulations in place.
Security question best practices
While security questions are not the most effective method of securing accounts, there are some things that organizations, employees, and customers can all do to make them stronger.
Tips for using security questions
If you’d still like to use security questions as a supporting security method for your employees or customers, we suggest the following best practices to mitigate vulnerabilities:
- Restrict answers: Check answers against a deny list for common responses, like the username or email address, the user’s current password, and guessable character strings like “123” and “password.” Enforcing a minimum length for answers can also help to avoid such answers.
- Renew questions:Periodically prompt the user to review their security questions and confirm that they still know the answers. This should give them the opportunity to update any answers that might have changed, and makes it more likely that the user will remember their most recent answer should they need it to recover their account.
- No self-written questions:Allowing users to write their own questions introduces risk. It could result in strong, unique questions that are difficult for hackers to answer—but it could also result in weak and easily-exploitable questions. Self-written questions rely on the user’s own security behavior, so inviting users with less security awareness to set their own questions can really increase the risk of account takeover.
- Set multiple security questions: Asking users multiple questions at the same time can improve the assurance level of security questions, especially if the answers are varied and require an attacker to obtain more obscure information. Mixing user- and system-defined questions is a potential approach to this.Either way, when a user is asked a question out of a selection, don’t allow them to choose another question until they’ve answered it correctly. This minimizes the chance of attackers being able to guess or obtain the answers they need to access accounts.
- Use encrypted storage: Answers may contain personal information about users and may be reused across different accounts. Consider using secure hashing algorithms to prevent hackers from obtaining security answers from your system.
Tips for setting security answers
Implementing security questions is only effective if users know best practices. Here’s some advice you can provide to employees and customers to strengthen their security answers:
- Use fake answers: Instead of responding with meaningful information that others can find out, use a false answer that others can’t verify, ideally with a random string of characters. In that sense, treat security answers like passwords—the more obscure, the better.
- Use a password manager: Remembering randomized text strings is much more difficult than truthful, personal details. That’s why it’s worth using a password manager to store your security answers, so you don’t lose track of them.
What are some better alternatives to security questions?
If you’d prefer to move on from security questions altogether, there are a breadth of other measures available, each with varying levels of assurance:
Before selecting one to secure your workforce and customers, it’s important to know the risks and benefits of each—and which ones offer the highest level of security. Those that rely on something the user knows (e.g., security questions and passwords) are the least secure, while those that rely on something the user has or one of their attributes offer the highest level of assurance.
Biometric authentication, for example, is more threat-resistant than others because it relies on identifiers that are unique to each user, like voice, fingerprints, DNA, and facial recognition. Users don’t have to remember or store biometric traits like they do security answers, making them harder to compromise.
Multi-factor authentication (MFA), on the other hand, is a context-aware approach to authentication. You can implement a mix of authentication factors to suit the needs of your organization, and analyze risk signals from user login attempts to determine which authentication methods are the most appropriate. With this setup, you have the flexibility to use security questions and passwords as one of many authentication options, deploying them for additional assurance in low-risk contexts or forgoing them altogether.
Security questions are vulnerable to exploitation because they rely on knowledge—if an attacker guesses, researches, or phishes a security answer, for instance, the account is compromised. Not even the best security questions are immune to these attacks. To start moving beyond security questions and to learn more about Okta’s Adaptive MFA solution, check out our datasheet.
