4 Tips for Better Security Questions
I was trying to sign up for a service online today (name blurred to protect the guilty), and ran smack into a bunch of usability mistakes, including these badly chosen security questions on a web form.
Before even getting to this form I had already had to wade through an intimidatingly long “Accept” form, and you’ll notice all the red error messages because I hadn’t seen these questions when I submitted the form. (Not quite sure how that happened.)
The big issue with this particular web form though is that most of the security questions have several possible answers. What are the odds that, when I’m asked these questions many months or years later, I’ll remember the exact answers I gave?
Mother’s maiden name and city you were born in are fine, because there is only one clear answer.
But the others are not clear.
- Who was your best friend while you are growing up? I had several. Depends which part of my youth.
- What was your favourite class or subject in school? There was no one clear favourite.
- What was your first job? Does babysitting count? Or the one week helping in a retail store during a sale? Or my internships? Part-time jobs? Full time? Again, too many possible answers and I won’t remember which one I gave.
- What is the location of your dream vacation? I have many dream locations. And the one I might cite now when the weather has warmed up outside will likely not be the same one that is top of mind in the middle of a Northern winter!
Better Web Form Security Questions
Having security questions is important. People will forget their passwords, so it is always important to have a backup way to increase the odds that they are who they say they are.
1. Use questions that have only one possible answer
My father has one middle name. (OK, some people do have more than one middle name, but odds are there will be a main one). I was only born in one city. I was only in one school when I started Grade 1. (Be careful on the wording of this one, though, because if you ask “What was the first school you attended?” it isn’t clear whether I’ll think of pre-school or kindergarten as the first, or the school where I went to Grade 1. And if you ask, “What school did you attend in Grade 1?” there will be people who attended more than one school in Grade 1.)
2. Don’t rely on just one security question
Some questions have become so common (e.g. mother’s maiden name) that you run the risk that if account information has been hacked on another site, people may be able to impersonate your customers on yours, so it is good not just to rely on that one.
3. If at all possible, let users choose their own security questions
If you are doing this, you should make them answer several of the questions to prove they are who they say they are, because there are certain common ones people are likely to choose, and often their answers can easily be found on Facebook. (e.g. Their kids’ names, their birthday, the city they live in, etc)
4. Allow for spelling and capitalization variations
If I attended Mount Saint Vincent University, I might have entered the answer that way, or I might have written Mt. St. Vincent, or Mount St. Vincent, or Mount Saint Vincent but without the word “university”, or I might have done it all in lower case…. You need to have your web form programmed so it will accept any of those variants.
What are the worst web form security questions you’ve seen?
Tell us in the comments below!