Ask HN: Is data collection the intended purpose of 'security questions'?

2 points0x7E34y ago3 comments

Security questions seem to fall into two categories. Either easily researched information "what is your mother's maiden name?" or something that "only you" would know. The problem with the first category should be obvious, and as for the second "What is your favorite flavor of ice cream?" "vanilla" is the equivalent of using a single dictionary word (from a very limited dictionary) as a password, and probably using the same single dictionary word as a password on multiple sites at that.

It seems to be fairly commonplace for people to answer them with gibberish to avoid the aforementioned problems, and (most? all?) websites will override them if you claim you don't remember what answers you gave. This appears to do nothing to make my account more secure, it just makes me want to avoid using your service.

So, for people who have implemented 'security' questions as a form of authentication, what purpose do you think they serve? Are the answers being sold? Is it just theater because you think it will make your users feel safer? Is there some other benefit to collecting this seemingly unnecessary data on your customers and storing it in plaintext that I'm failing to recognize?

3 comments

3 comments · 3 top-level

logicalmonster4y ago

To borrow an old saying, "Nobody ever gets fired for choosing IBM."

I don't know how frequently data collection happens with security questions, but I view security questions more as just a consequence of bureaucratic inertia and how development works. Imperfect security practices by developers persist because security is hard, many developers have no real formal training in it, and you follow along with what other developers have done and what you've seen in the wild because you have no other option to avoid making a fool of yourself. You're not going to get fired as a developer if you copy your bank's security practices: but you might if you try and innovate and get things wrong.

Think about something like complex password rules for websites. I can imagine that at one time there was a reasonable justification for that practice to emerge (training masses of people who never used computers before to choose complex passwords rather than just using a birthdate or simple word) but nowadays they're just a user-annoyance that decreases the security of passwords because it limits the number of possible character combinations. This practice seems to persist for no reason other than dumb bureaucratic inertia. Everybody does it: so that's the way it is. And since banks and big companies do it, this is the dumb practice that's going to persist for a while.

salawat4y ago

I've not been anywhere that actually got far enough to sell it. Mostly theater though. The real intent is to get at least a trio of data points to get the Signal to Noise Ratio somewhere comfortable for the sake of doing a high impact account action.

trinovantes4y ago

It's for non-techies to call in phone support asking for password reset. Easily defeated by social engineering but the alternative of locking countless people out of their accounts is worse for most businesses