When you create an account, you may be prompted to set up a security question for authentication. Security questions add a layer of security alongside your login credentials. Following best practices for security questions involves using different questions for different accounts, avoiding self-written questions, using multiple security questions and updating security questions and answers regularly.
Continue reading to learn more about security questions and the recommended practices for choosing questions and creating answers.
What makes a good security question?
The best security questions and answers are safe, memorable, consistent, specific and unpredictable.
1. Safe: Ensure that the answer to your security question is confidential and cannot be easily guessed by others. For example, avoid using information in your answers that someone can find by searching your digital footprint such as your birthdate or street address.
2. Memorable: You should be able to recall the answer to your security question without writing it down. It should immediately pop into your head no matter how long it’s been since you’ve logged in. For example, the first concert you went to or the first country you visited are memorable. However, be sure that someone would not be able to find this information about you online by looking at your social media profiles.
3. Consistent: Ensure the answer to your security question is factual and cannot change over time. For instance, the name of the city where your parents met is likely to stay the same.
4. Specific: A broad answer can be ambiguous but also easy for cybercriminals to guess. For example, the name of your first pet is specific and unique to you, rather than answering just the type of animal such as a dog or cat.
5. Unpredictable: Ensure that the answer to your security question is not easily predictable or obtainable through public information. Avoid using common details such as your favorite color or favorite food.
With the use of a password manager, however, you do not need to worry about ensuring your answers are memorable or consistent, because you can store both the questions and answers in your secure digital vault, and easily retrieve them from any device.
Best practices for security questions
You should follow these best practices to ensure security questions maintain the security of your accounts.
Use different security questions for different accounts
Employing different security questions across multiple accounts ensures your accounts cannot be easily compromised. If you use the same security questions and answers across accounts, an attacker could use the same information to hack into multiple accounts. By setting up different questions and answers, you can prevent attackers from attempting to compromise multiple of your accounts using the same information in the event they guess the answer.
Avoid self-written questions
If you’re given the option to write your security questions, you may unintentionally choose questions with answers that are easy to guess or are publicly available through online sources. Avoid opting to write your security questions and instead use the questions already written by the website.
Use multiple security questions
Setting up multiple security questions increases the security and assurance level of the authentication process, reducing the window for cybercriminals to gain unauthorized access since they’ll have to answer all security questions correctly.
Update your security questions
You should regularly review your security questions to maintain the security of your accounts. This allows you to confirm that you still know the answers and assess whether any updates or changes are necessary. Updating security questions also enhances the security of your account since it allows you to choose new, more secure questions or answers.
Examples of good security questions
Here are four examples of good security questions.
- What is the name of your favorite childhood character? This question is not only unique to you but your answer will likely never change.
- In which city did your parents meet? This is a good question because it should be followed by an unchanging and consistent answer. The answer is also a personal detail with a long list of potential answers.
- What is the name of your first childhood pet? This question is memorable and specific to you. Additionally, it’s unlikely that anyone else would know the answer if you avoid oversharing on social media.
- What is the middle name of your oldest cousin? This is a good question because it’s something only you would know. Threat actors will have a difficult time finding your cousin’s information, let alone their middle name.
Examples of bad security questions
Here are four bad examples of security questions.
- What city were you born in? This is a bad question because this information could be found on social media apps and also easily guessed.
- What high school did you attend? This information can also be found on social media, such as your Linkedin, Instagram or Facebook account.
- What is your favorite color? There is a limited range of possible answers, leading to the answer being easily guessed. Unless you are really specific such as answering as “Turquoise aqua blue.” But even then, you must be able to recall this information quickly.
- What is your mother’s maiden name? Threat actors could find this information through public records or social engineering. Moreover, surnames can be predictable based on your region and culture.
Alternative authentication methods
While security questions are a good method of authentication, there are several alternatives you should use if given the option that provide more security.
1. Hardware security keys: A hardware security key is a physical device used to authenticate a user. Once a security key is registered to an application, you’ll be able to tap or insert the key as a form of authentication, in addition to entering your login credentials.
2. Passkeys: A passkey is a form of passwordless authentication in which a cryptographic key pair is used to authenticate a user’s identity. When asked to verify your identity with a passkey, you’ll be prompted to provide your biometrics.
3. Time-based One-Time Password (TOTP): TOTP is an authentication method where unique codes are generated by an algorithm. TOTPs are provided through an authentication app, email, text message or phone call and are only valid for 30-60 seconds.
4. Magic links: A magic link is a form of passwordless authentication in which a user is verified by clicking a link that is sent via email or text message. After entering your login credentials, the app will generate a link with an embedded token for you to click on. Once you click on the link, the service will confirm that the token matches and grant you access to your account.
Store your security questions and answers with Keeper®
Remembering security questions and answers can be difficult, especially with how many accounts the average person has. The best and simplest way to manage your security questions and answers is by using a password manager. A password manager enhances security question management by securely storing all of your answers. Password managers are encrypted and designed for users to keep their passwords, Multi-Factor Authentication (MFA) codes, security questions and other sensitive information, secure and easily accessible.
Securely store your security questions and answers with Keeper Password Manager. Start a free 30-day trial today.
