It used to be a good idea. Ask something that was immediately obvious and only knowable by YOU or a very few people – and make it the last line of defense for a password reset or some other high-security function. Mother’s maiden name. City you were married in. Make and model of your car.
Until, like everything, it gets carried to an extreme. Like for instance, the Apple ID reset process. Let’s look at these security question…
I suppose the standard response would be (if the answer is not readily available) MAKE SOMETHING UP and remember it! But wasn’t it the purpose of these security questions NOT to have to remember ONE MORE THING. Heck, if that were the case I wouldn’t have forgotten my password in the first place!
…and then there was the concept of REUSE. Use a question that is personal information, but whose use is fairly standard across websites (mothers maiden name, for example). But then that, of course, leaves one open to the possibility of a breach at one site is a breach of all of them.
This, we at Gartner, would classify as a wicked hard problem of identity and authorization. And there is no answer yet (two factor authentication aside). The Achilles heel of virtuality.
These first job questions – do you mean my news route, part time job after high school, full-time job after college? The first one that actually paid me? or paid me a salary?
That first album I purchased? duh, maybe it was Jimi’s “Live at the Fillmore East”, which explains why I can’t remember a dang thing….
We’ll talk about wicked hard problems like that, and more, at this year’s Catalyst Conference in San Diego.