Overview#Identity questions are often used for Identification or Password Recovery (Password Reset) purposes.
The Identity questions feature is a security anti-pattern.
Identity questions typically includes, but is not limited to:
- email address
- last name
- date of birth
- account number or customer number
- last 4 of social security number
- zip code for address on file
- street number for address on file
- mother's maiden name
- name of High School you attended
- Identity questions are nothing more than a Shared Secrets and has been deprecated by NIST.SP.800-63B
- Identity questions Social Engineering Attacker - Most for the issues with Identity questions are their subjectivity to the Social Engineering Attacker.
Even with user-specified questions, it is highly likely that most users will choose either:
- A 'standard' secret question like mother's maiden name or favorite pet
- A simple piece of trivia that anyone could lift from their blog, LinkedIn profile, or similar
- Any question that is easier to answer than guessing their password. Which, for any decent password, is every question you can imagine.
In conclusion, security questions are inherently insecure in virtually all their forms and variations, and SHOULD NOT be employed in an authentication scheme for any reason.
The true reason why security questions even exist in the wild is that they conveniently save the cost of a few support calls from users who can't access their email to get to a reactivation code. This at the expense of security and Sarah Palin's reputation. Worth it? Probably not.