Security Question And Security Answer
Security question drop-down?
How many questions exist?
Do users feel comfortable with questions?
Are you asking ATM PIN? Sure?
Custom security question?
Custom Text Field to enter question
Minimum length for answer
Security question field: auto-complete = off
Security answer needs to be of type=password
Maximum Length? (maxlength attribute)
Characteristics of question
Did you know? There are no good security questions. There are only bad or fair ones.
What could be fair enough?
date of birth
last 4 of social security number
zip code for address on file
street number for address on file
Minimum length for security answers
Store answers as secure cyrptographic hash
Never save as plain text
Request for AUTHentication during security question / answer change
Remember: Some Good Questions are Bad! Context Matters!
Good security questions
Has many possible answers in real-world
Is precise and can be remembered
Answer doesn't change over time
Which is the place you first kissed?
What is the name of the hotel where your reception was held?
Bad security questions
What is your pet’s name?
In what year was your mother born?
Fair enough security questions
What time of the day / night were you born?