Security Question And Security Answer

Security question drop-down?

 How many questions exist?

 Do users feel comfortable with questions?

 Are you asking ATM PIN? Sure?

Custom security question?

 Custom Text Field to enter question

 Minimum length for answer

Field Validations

 Security question field: auto-complete = off

 Security answer needs to be of type=password

 Maximum Length? (maxlength attribute)

 Characters allowed?

Characteristics of question

 Safe

 Consistent

 Nearly Universal

 Memorable

Did you know? There are no good security questions. There are only bad or fair ones.

What could be fair enough?

  email address

  last name

  date of birth

  account number

  customer number

  last 4 of social security number

  zip code for address on file

  street number for address on file

Good Practices

 Minimum length for security answers

 Store answers as secure cyrptographic hash

 Never save as plain text

 Request for AUTHentication during security question / answer change

 Remember: Some Good Questions are Bad! Context Matters!

Question Types

 Good security questions

  Has many possible answers in real-world

  Is precise and can be remembered

  Answer doesn't change over time

  Examples

   Which is the place you first kissed?

   What is the name of the hotel where your reception was held?

 Bad security questions

  Examples

   What is your pet’s name?

   In what year was your mother born?

 Fair enough security questions

  What time of the day / night were you born?