by Craig Roth | May 20, 2013 | Comments Off on The Travesty of Security Questions: +1
Jack, I think you’re on to something with your post on The Travesty of Security Questions. In addition to yours, I have my own issues with security questions. Life is complicated and doesn’t offer easy answers to these questions.
First is one you touched on, which is the ambiguity built into seemingly simple questions. For example, when it asks “city where you were born”, does it mean literally the city where the hospital was (which I almost never go to), the city where I grew up and would answer if someone at a party asked “where were you born?”, or the greater metropolitan area (which is what I’d answer if someone from another city asked)? Is the first thing I learned to cook “Italian”, “pasta”, or “pesto”? Is my favorite singer “Mellencamp”, “John Mellancamp”, “John Cougar Mellencamp”, … Yeah, my mind works that way and comes up with multiple correct answers.
Second is answers that change over time, like “favorite” questions. Asking my favorite restaurant or song really means trying think what my favorite was five years ago when I bought my last computer and answered that question.
Third is that many questions don’t guard against ex-friend or pernicious relative hacking, which I’d imagine is a serious problem for some people. Someone who used to know you well and you don’t want hacking your accounts probably knows all sorts of questions about the street you lived on, model of car, name of high school, pets, and maybe “favorite” questions. There are probably a dozen people I know that could answer most of these personal questions about me.
Fourth is that half of them don’t have an answer for me, from favorite film star to childhood nickname.
Since these questions are usually offered in batches of six or so, I have sometimes looked down all of the questions and not found a single one that I can answer consistently. Maybe I have to invent an alter ego with a strong, consistent personality that has led a simple, unambiguous life.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.