It seems like constructing good security questions is Hard.
II.
On the one hand, if the site makes you choose among a set of pre-written questions, they’re inevitably so generic that anyone who’s friends with you on Facebook could find out the answers in five minutes. What’s your mother’s maiden name? is the cliché, of course, but what street did you grow up on? and who was your first kiss? and where does your oldest sibling live? aren’t much better.
Half of them don’t apply to any given person – what color was your first car? for someone who doesn’t drive, where was your honeymoon? for someone who isn’t married.
Others have so few possible answers that they can’t really be providing any level of security – people’s first cars are pretty likely to be red or gray or black, people’s favorite flavor of ice cream is pretty likely to be chocolate or vanilla or rocky road.
And nearly all of them that aren’t as straightforwardly googleable as where did you go to high school? are so boringly generic that you have no chance of remembering them by the time you need them: what is your favorite movie? where was your best vacation? Who knows what I put for that last year!
III.
On the other hand, letting users construct security questions isn’t any better.
It seems like it should be! I can come up with a dozen questions for myself that no one else would be able to answer and I would know right away. Off the top of my head:
What did your sister used to call mango spears?
What do you run at night for allergies?
What do you shout while stabbing the ceiling with a foil?
What dangerous thing could be where you used to hide your diary?
What did you name your baby blanket?
(If anyone guesses any of these I will be very impressed. Or have made a tumblr post I totally forgot about mentioning them, I guess.)
But in practice, if you let people enter custom questions, you apparently get:
What color is a banana?
How many fingers do I have?
What rhymes with ‘assword’?
(Conclusion: people fail at theory of mind.)
IV.
Proposal: build-your-own security questions.
(I know nothing about security, so this probably has some glaring flaw in it that I’m just overlooking. But.)
Give the user a row of dropdowns, and make them choose one value for each. That’s their security question. Then they can type in a freeform answer, as usual.
It might look something like this, with square brackets indicating dropdown lists:
[now/as a baby/as a toddler/as a child/as a teenager/in elementary school/in high school/in college/before marriage]
?
Some sample questions someone might construct from that:
What [was] the [nickname] of [your oldest child’s] [weirdest] [toy] [as a toddler]?
What [is] the [middle name] of [your youngest sibling’s] [worst] [enemy] [now]?
What [would be] the [defining feature] of [your pet’s] [dream] [house] [in college]?
Obviously these are a bit clunkily phrased – the last, for instance, would make more sense as “the dream house of your college pet” – but it’s clear enough what they mean. And sure, you can construct nonsensical questions – what [would be] the [flavor] of [your pet’s] [dream] [dream] [in elementary school]? – but if someone can come up with and remember an answer to that, more power to them.
There’s enough room for customization that you can narrow down something that’s actually unusual and memorable (yes, my youngest sibling has a worst enemy). And even at the low end of creativity, it’s going to be hard for users to create something worse than the typical security questions; I suppose you could go for what [is] the [name] of [your father’s] [only] [child] [now], but that takes deliberate effort; casual laziness is more likely to end up with something comparable to a typical security question: [what was] the [flavor] of [your] [favorite] [dessert] [as a child]?
It doesn’t seem like it would be significantly harder to set up this system than the standard kind. Maybe even easier, when you take into account not having to come up with a bunch of security questions yourself. The combinatorial explosion of possible questions means it’s OK if you borrow the dropdown lists of possibilities from some other site; there’ll still be way less repetition of questions than usual.
And those possibility lists are just off the top of my head; if I sat down and took an hour to come up with more, I bet I could enable a really good variety of useful questions. Maybe having to deal with multiple dropdowns is more of a pain than users are willing to put up with? I’m not sure why a compromise solution like this isn’t already in use.
