A security question is form of

shared secret In cryptography, a shared secret is a piece of data, known only to the parties involved, in a secure communication. This usually refers to the key of a symmetric cryptosystem. The shared secret can be a password, a passphrase, a big number, or a ...

used as an

authenticator An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. I ...

. It is commonly used by

bank A bank is a financial institution that accepts deposits from the public and creates a demand deposit while simultaneously making loans. Lending activities can be directly performed by the bank or indirectly through capital markets. Because ...

cable companies This is a list of cable television providers by country. Andorra * Mútua Elèctrica(Cable Mútua), Sant Julià de Lória) Argentina * Cablevisión *DirecTV * * *Gigared *Telered Australia * Foxtel * Fetch TV Austria *BKF *LIWEST * Salzburg ...

and wireless providers as an extra

security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...

layer.

History

Financial institution Financial institutions, sometimes called banking institutions, are business entities that provide services as intermediaries for different types of financial monetary transactions. Broadly speaking, there are three major types of financial insti ...

s have used questions to authenticate customers since at least the early 20th century. In a 1906 speech at a meeting of a section of the

American Bankers Association The American Bankers Association (ABA) is a Washington, D.C.-based trade association for the U.S. banking industry, founded in 1875. They lobby for banks of all sizes and charters, including community banks, regional and money center banks, sav ...

Baltimore Baltimore ( , locally: or ) is the List of municipalities in Maryland, most populous city in the U.S. state of Maryland, fourth most populous city in the Mid-Atlantic (United States), Mid-Atlantic, and List of United States cities by popula ...

banker William M. Hayden described his institution's use of security questions as a supplement to customer

signature A signature (; from la, signare, "to sign") is a handwritten (and often stylized) depiction of someone's name, nickname, or even a simple "X" or other mark that a person writes on documents as a proof of identity and intent. The writer of a ...

records. He described the signature cards used in opening new accounts, which had spaces for the customer's birthplace, "residence," mother's maiden name, occupation and age. Hayden noted that some of these items were often left blank and that the "residence" information was used primarily to contact the customer, but the mother's maiden name was useful as a "strong test of identity." Although he observed that it was rare for someone outside the customer's family to try to withdraw money from a customer account, he said that the mother's maiden name was useful in verification because it was rarely known outside the family and that even the people opening accounts were "often unprepared for this question."William M. Hayden (1906)
Systems in Savings Banks
''The Banking Law Journal'', volume 23, page 909. Similarly, under modern practice, a credit card provider could request a customer's

mother ] A mother is the female parent of a child. A woman may be considered a mother by virtue of having given childbirth, birth, by raising a child who may or may not be her biological offspring, or by supplying her ovum for fertilisation in the cas ...

maiden name When a person (traditionally the wife in many cultures) assumes the family name of their spouse, in some countries that name replaces the person's previous surname, which in the case of the wife is called the maiden name ("birth name" is also used ...

before issuing a replacement for a lost card. In the 2000s, security questions came into widespread use on the

Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...

. As a form of

self-service password reset Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without c ...

, security questions have reduced

information technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system (I ...

help desk A help desk is a department or person that provides assistance and information usually for electronic or computer problems. In the mid-1990s, research by Iain Middleton of Robert Gordon University studied the value of an organization's help desk ...

costs. By allowing the use of security questions

online In computer technology and telecommunications, online indicates a state of connectivity and offline indicates a disconnected state. In modern terminology, this usually refers to an Internet connection, but (especially when expressed "on line" or ...

, they are rendered vulnerable to

keystroke logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...

and brute-force guessing attacks, as well as phishing. In addition, whereas a human customer service representative may be able to cope with inexact security answers appropriately, computers are less adept. As such, users must remember the exact spelling and sometimes even case of the answers they provide, which poses the threat that more answers will be written down, exposing them to physical theft.

Application

Due to the commonplace nature of social-media, many of the older traditional security questions are no longer useful or secure. It is important to remember that a security question is just another password. Therefore, a security question should not be shared with anyone else, or include any information readily available on social media websites, while remaining simple, memorable, difficult to guess, and constant over time. Understanding that not every question will work for everyone, RSA (a U.S. network security provider, a division of EMC Corporation) gives banks 150 questions to choose from. Many have questioned the usefulness of security questions. Elie Bursztein
New Research: Some Tough Questions for ‘Security Questions’
''24th International World Wide Web Conference'' (WWW 2015), Florence, Italy, May 18 - 22, 2015; ''Google Online Security Blog'', 21 May 2015 (retrieved 21 May 2015) Security specialist

Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...

points out that since they are public facts about a person, they are easier to guess for hackers than passwords. Users that know this create fake answers to the questions, then forget the answers, thus defeating the purpose and creating an inconvenience not worth the investment.

References

{{reflist Authentication methods Banking technology Computer access control

History

Application

See also

References