The Design of Personal Security Questions

(Originally posted on the Usability Matters Blog on March 13, 2010.)

Personal security questions on websites have been de rigueur for quite a while now.

You know what I’m talking about. You answer some personal questions (à la “What was the name of your best friend’s aunt’s dog in kindergarten?”) on sign-up. Later on, if you forget your password to that website, you can reset your password by answering those questions.

Let’s stop and think about that for a second. Answers to a few personal questions are a direct path to your password on certain sites. (Is anyone else getting chills yet?)

Like passwords, personal security questions are an area where security and usability collide head-on. Attempts to make something more secure can often result in making it less usable. Unfortunately, all too often, sites fail on both counts, compromising both usability and security.

Let’s review some of the most common problems with personal security questions, and how to improve your use of them.

Usability Problems

Questions are not specific enough.

  • Example: “What is your pet’s name?”
  • How it can fail: Which pet? What if you have three cats, a boa constrictor, and five chickens in the yard?
  • Improvements: Ensure the question is as specific as possible, with only a single possible answer. This is still far from ideal, but one option here would be asking “What is your cat’s name?” or “What was the name of your first cat?”.

Answers to questions change over time.

  • Example: “What is your favourite colour?”
  • How it can fail: Favourites are pretty fluid things. It’s hard to remember what your favourite colour might have been when you signed up for that site. My favourite while I was at university was red, but now I’m quite partial to teal.
  • Improvements: Avoid questions about favourites entirely. If users have already answered questions about favourites, tell them the date when they answered the question.

Users don’t have an answer to the question.

  • Examples: “Where did you go on your honeymoon?” or “What was your kindergarten teacher’s last name?”
  • How it can fail: Not all questions will be suitable for all users. Many people aren’t married or didn’t honeymoon; others cannot remember their teacher’s name from when they were 5.
  • Improvements: Never force a user to answer a specific question — always give a wide variety of options, and think carefully about how many will be applicable to different sets of people (young people, middle-aged people, older people, single people, married people, people from other cultures, etc.).

Users provide answers that aren’t easily repeatable.

  • Examples: “What street did you live on when you were 10?” and “What high school did you attend?”
  • How it can fail: Although these are nice and specific, users may write an answer in one format when registering, and provide it in another format when challenged at a later date. Did I write “Main St.”, “Main Street” or “Main St”? Did I write “Stoneybrook High”, “Stoneybrook” or “Stoneybrook High School”?
  • Improvements: Try to avoid questions for which you can foresee repeatability issues, and, if you do use them, remind users to pay attention to format.

Security Problems

Answers to questions are easily guessed.

  • Examples: “What is your eye colour?” and “How many children do you have?”
  • How it can fail: Hackers know the most common answers to questions and will try those first. It doesn’t take much to guess “blue”, “brown”, “hazel” and “green”.
  • Improvements: Avoid questions where the answer is likely to be highly guessable.

Answers to questions are easily found online or in other public sources of data.

  • Examples: “What’s your birthday?” and “What high school did you go to?”
  • How it can fail: In the age of blogs, Twitter, and Facebook, a ton of information about you is available online. Beyond the most obvious data like your birth date (which most people would expect to be easy to dig up), it is easy to divulge something you think is private information but is actually easily accessible. This could be because you shared it online and forgot, or because someone else shared it online and you didn’t find out.
  • Improvements: Avoid these kinds of questions.

Improving Your Use of Personal Security Questions

  • Decide whether personal security questions are truly useful for your site. Would emailing a password reset link to an email address be sufficient for your needs? If you feel you must use security questions, try to avoid making them the sole gateway between a user and a password: instead combine them with some other security measure.
  • Always tell users the date they provided answers to their security questions.
  • Yahoo does this well:

yahoo_pvq_date_example

  • For instance, I planned to have my honeymoon in one city, but it got changed to a different city at the last minute. Knowing I answered the question in November instead of October makes all the difference in helping me answer the question correctly.
  • Consider implementing a CAPTCHA to prevent hackers from writing scripts to automatically guess answers.
  • Consider letting users fill in the blanks to make stronger questions. Mike Just describes this in his paper,Designing and Evaluating Challenge-Question Systems. Provide a question such as, “What is _______’s favourite food?” and let the user fill in a person of their choice.
  • Consider using an alternative challenge and response approach. In his paper, Personal knowledge question for fallback authenticationAriel Rabkin describes using images, e.g.  having users upload a picture and asking “What is the first name of the person in this picture?”. Other possibilities also exist.
  • If letting users write their own questions, give adequate guidance. Remind them:
    • To choose something very memorable (something they’ll still remember the answer to in 3 years).
    • To choose something that is fixed over time (favourites come and go, as do pets).
    • To choose something that is not easily guessable, particularly numerical answers. For instance, there is a fairly fixed set of answers to the questions “How many children were in your family?”.
    • To choose something that is not published online or in public records.
    • To try to choose something only they know the answer to. (This is extremely difficult. In lieu of this, encourage them to choose different types of questions, such that no one person knows or can find answers to all of the questions. Remind them that the person trying to get into their account could very well be someone they know.)
    • Why it is important to choose questions with secure answers (i.e. what the consequences are if someone manages to answer the questions correctly).
    • To not panic. Presenting all of this info and instructions can be overwhelming and scary.  Too much detail about security issues might be pretty discouraging. (And here’s the heart of the interaction designer’s challenge in this area – inform, but only enough.)

Sources and Additional Resources

If you’re responsible for the design of a personal security question system, I strongly encourage you to read (1) and (2) below – between them, Ariel’s and Mike’s papers cover everything I’ve talked about and more. (3) and (4) are more general-interest articles.

  1. Personal knowledge question for fallback authentication: Security questions in the era of Facebook (PDF) by Ariel Rabkin(SOUPS, July 2008).
  2. Designing and Evaluating Challenge-Question Systems (PDF) by Mike Just (IEEE Security & Privacy, 2004).
  3. Those Crazy Internet Security Questions by Kate Pickert (Time Magazine, September 24, 2008).
  4. ‘Forgot your password?’ may be weakest link by Bob Sullivan (MSNBC, August 26, 2008).

As always, I’d love to hear your thoughts on this topic.