Security question

A security question is used as an authenticator by banks, cable companies and wireless providers as an extra security layer. They are a form of shared secret.^[1]

Financial institutions have used questions to authenticate customers since at least the 1980s.^[1] For example, a credit card provider could request a customer's mother's maiden name before issuing a replacement for a lost card.^[1]

However, beginning in mid-2006, the questions have become ubiquitous online.^[1] As a form of self-service password reset, security questions have reduced information technology help desk costs.^[1] By allowing the use of security questions online, they are rendered vulnerable to keystroke logging attacks. In addition, whereas a human customer service representative may be able to cope with inexact security answers appropriately, computers are less adept. As such, users must remember the exact spelling and sometimes even case of the answers they provide, which poses the threat that more answers will be written down, exposing them to physical theft.

Seventy to eighty percent of American banks use RSA Security's "Adaptive Authentication program," including Bank of America, Wachovia, ING, Washington Mutual, and Vanguard.^[1] RSA estimates that ninety percent of banks are using security questions.^[1]

The best answers are simple, memorable, can't be guessed easily, and don't change over time.^{[2] [3]} Understanding that not every question will work for everyone, RSA gives banks 150 questions to choose from.^[1]

Security expert Bruce Schneier questions the usefulness of security questions. Since they are public facts about a person, they are easier to guess for hackers than passwords. Users that know this create fake answers to the questions, then forget the answers, thus defeating the purpose and creating an inconvenience not worth the investment.^[4]

• Password chaos

• RSA's Adaptive Authentication program