Asecurity question is a form ofshared secret[1] used as anauthenticator. It is commonly used bybanks,cable companies andwireless providers as an extrasecurity layer.
Financial institutions have used questions to authenticate customers since at least the early 20th century. In a 1906 speech at a meeting of a section of theAmerican Bankers Association,Baltimore banker William M. Hayden described his institution's use of security questions as a supplement to customersignature records. He described the signature cards used in opening newaccounts, which had spaces for the customer's birthplace, "residence," mother's maiden name, occupation and age.[2]
Hayden noted that some of these items were often left blank and that the "residence" information was used primarily to contact the customer, but themother's maiden name was useful as a "strong test of identity." Although he observed that it was rare for someone outside the customer's family to try to withdraw money from a customer account, he said that the mother's maiden name was useful in verification because it was rarely known outside the family and that even the people opening accounts were "often unprepared for this question."[2] Similarly, under modern practice, acredit card provider could request a customer'smother'smaiden name before issuing a replacement for a lost card.[1]
In the 2000s, security questions came into widespread use on theInternet.[1] As a form ofself-service password reset, security questions have reducedinformation technologyhelp desk costs.[1] By allowing the use of security questionsonline, they are rendered vulnerable tokeystroke logging andbrute-force guessing attacks,[3] as well asphishing.[4] In addition, whereas a human customer service representative may be able to cope with inexact security answers appropriately, computers areless adept. As such, users must remember the exact spelling and sometimes evencase of the answers they provide, which poses the threat that more answers will be written down, exposing them to physical theft.
 | This article'stone or style may not reflect theencyclopedic tone used on Wikipedia. See Wikipedia'sguide to writing better articles for suggestions.(February 2024) (Learn how and when to remove this message) |
Due to the commonplace nature of social-media, many of the older traditional security questions are no longer useful or secure. A security question is just another form of a password mechanism. Therefore, a security question should not be shared with anyone else, or include any information readily available on social media websites, while remaining simple, memorable, difficult to guess, and constant over time. Understanding that not every question will work for everyone, RSA (a U.S. network security provider, a division of EMC Corporation) gives banks 150 questions to choose from.[1]
Many have questioned the usefulness of security questions.[5][6][7] Security specialistBruce Schneier points out that since they are public facts about a person, they are easier to guess for hackers than passwords. Users that know this create fake answers to the questions, then forget the answers, thus defeating the purpose and creating an inconvenience not worth the investment.[8]