Set a strong security question for accounts

A security question is a long-standing secondary technique to authenticate users. Such identity verification can require anything from the city or town you were born to your preferred musical genre.

Follow the guidelines below to pick the most secure questions and keep answers safe.

What is a security question? 

Security questions represent an authentication method frequently used for processes like account recovery. Users can only reset their passwords by answering predetermined questions correctly. 

Login attempts can also call for entering the question-password combination. However, this authentication strategy has severe flaws.

In most cases, two-factor authentication is a superior option for securing your accounts. Many services no longer include security questions as a trusted authentication factor. 

Most common security questions

You can notice many variations of questions. However, you might have used or heard about the following ones: 

1. What is your mother’s maiden name? 
2. What is the name of your first pet? 
3. What was the model of your first car? 
4. When did your mother and father meet? 
5. In what town did your mother live? 
6. What is the first book you have ever read? 
7. What is the name of your first high school teacher? 
8. When was your oldest cousin born? 

You should also be able to set custom questions. But remember that it is easy to find personal facts about someone via social media.

Requirements for security questions 

The chosen security question should have a balance between strength and memorability. 

• Memorable: you need to remember the answer even years after setting it. 
• Confidential: your security question needs to be a secret. Its answer should not be available anywhere online. 
• Secure: it should be impossible to guess the correct answer. 
• Many possible answers: the chosen security question should have many possible answers. 
• Fixed answer: the answer should not change over time. 

Concerns regarding security questions 

Security questions make account management as user-friendly as possible. However, simplicity can open unnecessary venues for account takeover or hacking. 

However, Google published an analysis of security questions and their reliability in 2015. From this, we can draw multiple conclusions regarding their usability and reliability: 

• Memorable and simple answers are not secure, as attackers can guess them. Perpetrators have a nearly 20% chance of guessing the favorite food of English-speaking users on the first try. 
• Difficult answers are not as user-friendly, making them less convenient than popular 2FA methods.
• Google also concluded that faking answers is not a safe practice. It can increase the chances of forgetting the correct answers.

What are the chances of an attacker finding the answer online? 

It is a liability if you have publicly shared the personal information used in security questions. Anyone can retrieve it and attempt to take over your accounts. 

What are the chances an attacker can guess the answer? 

National characteristics or general tendencies can help criminals guess answers to security questions. Thus, consider whether your chosen answer to the question could be popular in your region. 

Should you provide honest answers to security questions? 

Providing fake answers to a security question has its pros and cons. Bogus answers mean attackers won’t find them online. However, it also means you can forget the fake answer. 

Should you add one security question or multiple ones? 

Some services let you set several questions. These additional obstacles minimize the chances of an unknown attacker answering each question correctly. 

However, multiple questions prolong the login or recovery process. 

Ditch security questions: account protection alternatives 

Even if you use security questions, they should accompany other account protection strategies. However, a good security question can be an option if services do not support 2FA. 

1. Create strong and unique passwords for each account created. 
2. Implement 2FA or MFA on your account to prevent unauthorized access. 
3. Do not provide unnecessary information on your profile. Services should know as little about you as possible. 
4. You should avoid using single sign-on options due to pre-hijacking possibility.
5. Add a backup email address or phone number. Restoring passwords when you lose access to your main email account can be a pain. So, add backup information to restore lost access. 
6. Store login credentials in password managers. These applications can protect devices and keep passwords safe. 
7. Install a Virtual Private Network. A VPN is a tool that can help you add another layer of security to your accounts. It ensures that the information transfers happen via secure connections.