Security questions

Reading Time: 5 minutes

Quite often now, when you create an account, you’re supposed to pick a question and enter your answer to it. There are many problems with this.

screenshot of a list of questions you can chose from and one of them (circled in red) is: what is your favourite security question?

Single question, the same for everyone

I used to work in an open plan office, where the team next to us would get calls from people needing emergency money (Community care grant). They were taking the people through a script, asking various questions to see why they needed the money, who they were, etc…and suddenly, out of the blue, we would hear:

“What’s the name of your childhood best friend?”

We could only hear one part of the conversation, so don’t know exactly how the person at the end of the line would react to that, but quite often we were rolling our eyes, thinking this script could do with some improvement(!) Most of the time, they had to explain why they were asking, “it’s for security reasons”.

Later I saw the associated form, which did explain why they were asking that one question.

screenshot of the form, with the question: For security reasons please tell us the name of your childhood best friend

But imagine: you’re calling because you need money, you’re probably not doing too well, and suddenly you’re asked for the name of a childhood friend. What if you didn’t have friends? or more than one? what name do you give? the real one? their nickname? full name? first name? Sometime they were asked: can you spell this for me?

No question

Calling your bank or insurance company, you’re probably familiar with this scenario as soon as you reach someone:

  • What’s your account number / policy number?
  • What’s your full name?
  • Your date of birth?
  • First line of your address?
  • Postcode?

It never feels very secure, anyone with a letter from them could answer this.

Write your own question and answer

I’m helping people in a class to improve their digital skills by using various online forms. Last week, some of them were puzzled by the security question parts:

To register for a council tax online account, you have to enter a question of your choice and the answer to it.

screenshot of a form where you see the explanation: Create your security details

Please choose a username and supply a memorable question and answer e.g.

Memorable Question = "what is my favourite colour?"
Memorable Answer = "purple"
You will be asked for the answer to your question when you produce your ID.
Registering to Council Tax Online – account creation

This helps to find something relevant to you I guess which is good, but it’s awkward if you are not used to the process. People didn’t get why they are asked and most of them ended up picking the one suggested “what’s my favourite colour? which is not really secure.

Select a question in a list

Another form we help people with is the Universal Credit one, and during the account creation you need to pick 2 questions from a list:

list of questions to chose from: where were you born, colour of first car, father's main job, first concert, name of the street you grew up on, first job
Universal Credit – creating an account

Quite a few people in the group were a bit unsure what to chose in the second list. Not everyone goes to cinema or on holiday, had a pet or have a car.

And here is ‘the best childhood friend’ again and you are to remember their surname.

List of 5 questions around: first film you saw at the cinema, name of first pet, first holiday, surname of best childhood friend, you're mother's main job, make of your first car
Second set of questions for Universal credit

When the user is a child

When my children applied for the EU Settled status, they had the same security question as adults. As a child you can pick one through:

  • In what city or town did your wedding take place?
  • What is the first job you ever had?
  • What is the name of your partner?
  • What is your partner’s mother’s name?
  • What make was your first car?
first set of questions asking about your wedding, or 1st job, or town where your parents met, favourite teacher

I guess in that list, you can still use the one about the first school or favourite teacher, assuming you had one.

A lot of assumptions in these questions

Not everyone has ‘favourite’ drinks, food, colour, film, song etc… These questions often assume you have a ‘normal life’: a father and a mother, a pet, went to school, had a best friend, own a car, got married … all the stereotypes. This can make you feel uncomfortable each time you have to create an account.

I’m French, so names might have some accents, some dashes. I need to remember if I didn’t bother with the dashes or if I wrote them at the time. My birth place town’s name has ‘Saint’ in it, did I write ‘Saint’ or it’s abbreviation ‘St’? Schools in France often are named after someone, so for example, one of my schools is: Lycée Édouard Branly. Can we put spaces between words? I need to get rid of the accent as most systems can’t cope with these. I’m sure many people have similar issues and even extra ones.

It’s often quite funny as well when someone on the phone need to match what they see on their screen and the answer in French I’m giving them. They usually just accept my answer.

I know a few people who just pick any question, any answer and save this somewhere with the password. Not very secure again.

More on Security

I don’t have a solution. But like Catpcha, I’d rather see security question disappear.

On this subject, this talk by Jared spool is really good and worth watching, I really recommend it: Insecure & Unintuitive: How We Need to Fix the UX of Security

On the subject of security question, around 50min in the video, you’ll see an example where you have to select 5 security questions and the answers you can give are to pick in a list…

Who knew that mashed potatoes could be some people’s favourite pizza topping?

Screenshot where you can see the long list of potential pizza toppings and you need to pick your favourite
From Jared Spool’s talk – 50min in

If you want to learn more about the classes to improve digital skills I’m involved in, here is the latest blog post I’ve written on this: