In the Details: Questions
Why is it that so many financial sites think that a bevy of questions is a good security precaution? I’m willing to believe that it is potentially an acceptable backup, but I find many of their implementations to be lacking. Take this one, for example, from a credit card company.
They provide a list of 10 predefined questions, from which I am expected to choose five. I have a few criteria for selection of questions:
- It has to be a question for which I have a definite answer. So, questions about favorite color, food, and the like don’t work.
- It has to be a question for which there is only one correct answer. So, asking me where I went to college is no good. I attended two—one for undergrad and the other for my masters. This also loosely applies to things that could be abbreviated, or that have multiple names.
- It has to be a question to which the answer will not change. So, asking me where my office is located is a poor choice. We’ve moved about every five years.
- It has to be a question that I know the answer to off the top of my head. I don’t want to have to look it up, and I can’t rely on having the information at hand.
So, evaluating the provided options, I can immediately discard numbers 4, 7, and 8. Questions 5 and 9 have the same answer, which seems less secure, so I cut one of those. The first one is a little iffy due to a name change at one point and the use of a hyphen. I don’t trust myself to answer it exactly the same way every time. Now we’re down to five, but the last one I would prefer to abbreviate due to the length of the name, which violates criteria number 2.
I much prefer sites that allow me to write my own questions (which are few). I can easily write questions that fulfill all my criteria and are more secure, due to the fact that they cannot be looked up on the web, unlike the name of my high school.
