!!! Overview
[{$pagename}] are often used for [Identification] or [Password Recovery] ([Password Reset]) purposes.

The [{$pagename}] feature is a security [anti-pattern]. 

[{$pagename}] typically includes, but is not limited to:
* email address
* last name
* date of birth
* account number or customer number
* last 4 of social security number
* zip code for address on file
* street number for address on file
* mother's maiden name
* name of High School you attended

!! [Security Considerations]
* [{$pagename}] are nothing more than a [Shared Secrets] and has been [deprecated] by [NIST.SP.800-63B]
* [{$pagename}] Most for the issues with [{$pagename}] are their subjectivity to the [Social Engineering Attack].

! [{$pagename}] [Example]
Sarah Palin's [Yahoo]! email account got hacked during a previous presidential campaign because the answer to her security question was... "Wasilla High School"!

Even with user-specified questions, it is highly likely that most users will choose either:
* A 'standard' secret question like mother's maiden name or favorite pet
* A simple piece of trivia that anyone could lift from their blog, LinkedIn profile, or similar
* Any question that is easier to answer than guessing their password. Which, for any decent password, is every question you can imagine.

In conclusion, security questions are __inherently insecure__ in virtually all their forms and variations, and [SHOULD NOT] be employed in an authentication scheme for any reason.

The __true reason__ why security questions even exist in the wild is that they conveniently save the cost of a few support calls from users who can't access their email to get to a reactivation code. This at the expense of security and Sarah Palin's reputation. Worth it? Probably not.



!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]