Why not allow the user to enter their own security question?
The question itself doesn't matter, it's only there to jog the memory of the user. If you let the user type their own question, they would be more likely to remember the answer and you don't have to try and think of a lot of different questions to cover all situations a user might be in (ie. they never had a pet, don't know mother's maiden name etc).
Answer from Steve on Stack Exchangewebsite design - Security question: What questions do you ask? - User Experience Stack Exchange
Security question choices need improvement
LPT: Do NOT fill out security questions with real world answers
LPT: Never answer online security questions with their real answer. Use passphrases or number combinations instead - if someone gets your info from a breach, they won't be able to get into your account.
What are examples of some common security questions?
- In what city were you born?
- What is the name of your favorite pet?
- What is your mother's maiden name?
- What high school did you attend?
- What is the name of your first school?
- What was the make of your first car?
- What was your favorite food as a child?
- Where did you meet your spouse?
Why Are Common Security Questions a Problem?
The problem with these security questions (and with our answers) is that they become a liability when the results are leaked online, such as through a data breach, or become public knowledge. Why? Because many (in fact, thousands) of sites potentially use identical security questions. The variation from site-to-site is low, and questions for each user frequently, and inevitably, overlap across their many accounts. This standardization of security questions creates a substantial, but unnecessary, risk.
How Do I Make My Security Questions Stronger?
1. As much as is possible, do not select the same security questions across multiple sites. Keep your selections unique when the site allows you to pick your own questions. This will help limit the fallout and compromise of other accounts if the security question/answer is ever leaked. This is especially important for public figures whose history may be a part of public record or biographies posted on websites. For example, we all know the city our favorite musician or actor was born in, right?
2. Do not answer security questions in plain English (or your native language). That is what is expected, but it’s a security misstep. Treat your answers like passwords and introduce complexity in your response and its characters. For example, let’s say I was born in Little Rock, Arkansas. The security question for, “what city where you born in” would require the response, “Little Rock”. Now, add some password complexity. The new entry could therefore be, “L!ttl3 r0ck”. This answer is more difficult to guess or crack through automated tools and provides a simple layer of obfuscation to protect your security question responses. And, if anyone ever asks, you can honestly state that of course your mother’s maiden name does have numbers and symbols in it. Doesn’t yours?
3. In many instances, the best course of action is to provide fictitious information to these questions to keep them unique. You could use a personal password manager to populate the answer fields with password-like responses. Then, store each question and response in your password manager. For example, for an ecommerce site, you could create the entry “ecommercesite.com/question_birthcity” as the account and then enter a random, recommended password as the security response. This provides the secure storage you need in case of a password problem, while keeping your answers to same security question completely random and unique across sites and applications.
Videos
Why not allow the user to enter their own security question?
The question itself doesn't matter, it's only there to jog the memory of the user. If you let the user type their own question, they would be more likely to remember the answer and you don't have to try and think of a lot of different questions to cover all situations a user might be in (ie. they never had a pet, don't know mother's maiden name etc).
I'm taking this answer directly from goodsecurityquestions.com website, as referenced on the Security StackExchange site.
The term "security questions" is a misnomer. Security questions create a potential hole or breach in security by providing ways for unauthorized users to gain access if the answer can be discovered. Hopefully, security experts will find better ways of retrieving forgotten passwords or verifying identification during login, but until then security questions will likely prevail.
Thus, security questions have both benefits and liabilities. Poor questions create security breaches and confusion and cost money in support calls. Good security questions can be useful in the current environment, but are not common.
However, there really are NO GOOD security questions; only fair or bad questions. "Good" gives the impression that these questions are acceptable and protect the user. The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.
Social networking (Facebook, MySpace, Twitter, personal blogs, LinkedIn) are creating more of a risk for security questions. People are generously telling all about themselves, their history, likes, favorites, and more. It easier now to find information on people.
But to actually answer your question, that site provides a list that they say are better than others that meet the criteria of:
Good security questions have four common characteristics. The answer to a good security question:
- cannot be easily guessed or researched (safe),
- doesn't change over time (stable),
- is memorable,
- is definitive or simple.
And those questions are:
- What was your childhood nickname?
- In what city did you meet your spouse/significant other?
- What is the name of your favorite childhood friend?
- What street did you live on in third grade?
- What is your oldest sibling’s birthday month and year? (e.g., January 1900)
- What is the middle name of your oldest child?
- What is your oldest sibling's middle name?
- What school did you attend for sixth grade?
- What was your childhood phone number including area code? (e.g., 000-000-0000)
- What is your oldest cousin's first and last name?
- What was the name of your first stuffed animal?
- In what city or town did your mother and father meet?
- Where were you when you had your first kiss?
- What is the first name of the boy or girl that you first kissed?
- What was the last name of your third grade teacher?
- In what city does your nearest sibling live?
- What is your oldest brother’s birthday month and year? (e.g., January 1900)
- What is your maternal grandmother's maiden name?
- In what city or town was your first job?
- What is the name of the place your wedding reception was held?
- What is the name of a college you applied to but didn't attend?
- Where were you when you first heard about 9/11?
I haven't added security questions to my account, because I'm concerned my answers will change by the time I need to use them. Examples:
What is your signature dish to cook? Well, right now I like to make a particular pasta dish, but I'm always looking for new recipes.
What smart devices are you most excited to try? This answer would become dated particularly quickly.
Who is your favorite relative? It was my Uncle Bob until what he said last Thanksgiving, now it's my Aunt Sally.
What was your childhood dream job? I don't know, I had lots.
What is your go to drink order? Similar to signature dish to cook. See above.
Perhaps offer some questions that are consistent and precise:
What was the name of your elementary school?
What was the make and model of your first car?
What was the first concert you attended?
In what city or town did your parents meet?
What is your oldest sibling’s middle name?
What was the name of your first pet?
What was the name of your first bank?
More guidance: https://www.okta.com/blog/2021/03/security-questions/
Anyone else have good questions that USM could use?