From Maiden Names to School Mascots—The Best Ways to Use Security QuestionsRachael RothSeptember 25, 2021
Security questions don’t offer the best protection against a breach, but there are ways to use them more effectively.
What’s something no one else knows about you? Is it your maternal grandmother’s maiden name or the make and model of your first car? This is the idea behind security questions (aka personal knowledge questions) that exist as a barrier between threat actors and our personal information: that you alone can answer them.
These questions have long been a way to authenticate users, but are they still an effective way to protect our data? Here’s everything you need to know about them, including how to maximize their potential.
The wrong way to use security questions
Here’s what not to do when it comes to security questions:
Reuse questions and answers. Reusing security questions and answers is similar to reusing passwords: The information may have already surfaced on the dark web from a data breach of another one of your accounts, meaning hackers already have a way in.
Using them as the sole method of protecting your data. Security questions can be used in conjunction with other security methods, but using them on their own is a risk.
Using ineffective questions. Questions can be too difficult for users to remember if they ask about a detail from long ago; certain answers might change over time. (Think about questions like, “What’s your favorite movie?”) Conversely, simple answers can be easy for hackers to guess.
Can they do more harm than good?
In a white paper from 2015 called “Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google,” research revealed that secret questions can be even worse than ineffective; they can pose a security threat.
Not only do difficult questions like, “What’s your frequent flyer number?” have a recall rate of 9%, causing users to constantly reset their passwords, but easy-to-remember questions are likewise easy to hack. Questions about favorite foods or your father’s middle name don’t generate unique enough answers. If you’re a high-profile person, these types of personal details may be searchable online; if not, hackers can still use brute force attacks to figure out the answer to a security question.
The right way to use security questions
They may not be the most effective against a data breach, but there are smart ways to use security questions. Here are our tips:
Use effective questions. Questions should be easy for you to remember, personal enough that only you would know the answer, and have enough potential answers that hackers would not be able to guess with a brute force attack. Okta recommends a question like, “In what town or city did your parents meet?,” which is a very personal detail with many possible answers, making it difficult for hackers to guess.
Use multiple questions. If you’re in a position to influence your security policies at work, include multiple questions that are a mix of user and system defined. User-defined questions are selected from a dropdown menu by the user (e.g. “What was your favorite elementary school teacher?”) whereas system-defined questions use information already collected on a user (e.g. date of birth).
Review and renew questions. From time to time, check and make sure that you or your employees remember the answers to security questions. Reviewing questions and answers keeps them fresh in your mind to prevent future account recovery.
Supply fake answers. The answer to a security question can be treated more like a password: a random string of numbers and letters, rather than an answer that someone might be able to hack.
Store answers securely. If you store answers to security questions anywhere, they should be kept in a password manager as well as encrypted by using hashing algorithms, for example.
Biometric technology: Face ID and touch ID are more effective against hacks than security questions. Facial, voice and touch recognition tools store your data on your device itself rather than in a system. There is nothing for users to remember, and the data is highly specific to each individual.
Multifactor authentication: Authenticator apps require authorization from users with a second device and are time sensitive, making them highly secure.
Strong passwords. It might sound simple, but strong passwords are more effective against hacks than security questions, especially if you use a password manager and store your passwords securely.
Rachael Roth is a content creator with over a decade of experience in print and digital media. She is a longtime contributing writer for Dashlane's blog and is an Editor and Copywriter for NYC & Company, New York City’s CVB and marketing organization.