Security Questions: Can They Be Both Easy to Use and Secure?

I just logged into my ING Direct bank account and noticed a potentially frustrating hurdle on the way: the “Secret Question”. On this particular visit, here's the “Secret Question” I was asked:

Obviously, I'm not going to reveal the answer to my security question in this blog post. So let's just pretend I had originally entered another of my favorite movies, “The Miracle of Morgan's Creek”.

Upon login, if were enter “Miracle of Morgan's Creek”, I'd get an error message… because I left out “The”. If I'm lucky, I'll quickly realize what my “mistake” was and correct it. But it's easy to image someone getting very confused, not realizing where he'd made his mistake… or whether he'd entered the wrong movie. After all, some of us have lots of favorite movies.

On some visits, I'm asked where I was born:

Again, I can imagine problems. I could answer this question in numerous ways, including:

• Toronto
• Toronto, Ontario
• Toronto, Canada
• Toronto General Hospital

Yet another ING Direct security question that can be problematic is “What street did you grow up on?”

I moved around quite a bit as a kid; I “grew up” on several different streets. So we'll just assume we're talking about the first address I lived at, Brunner Drive. But even if I get that right, there's lots of room for stumbles: I have to remember whether I entered:

• Brunner
• Brunner Dr
• Brunner Dr. (with the period), or
• Brunner Drive

What we really should be testing is whether visitors can answer the question (which is easy, if they know the answer). We shouldn't be testing whether they happen to remember precisely how they formatted their answers. This can be hard, even if they do know the answer!

Some will argue that we should test whether users remember how they formatted their answers, just as we do with passwords. After all, it increases security. However, I'd argue that the usability issues this creates are just too great. Better to ask two easy-to-answer questions, than one ridiculously picky one!

There may be no perfect, fool-proof solution. But I think we can list some best practices that minimize visitor errors, while still ensuring security. I'd suggest the following guidelines, for starters:

• Try to ask questions that have one unambiguous answer, such as “What was the first street you remember living on?” or “What is your father's middle name? If he has several, what comes immediately after his first name?”
• Where appropriate, give hints on how to format the answer, for example “Leave out articles like “The” and “A”, or “Spell out the full name of your street. Don't use any abbreviations like 'St.' or 'Ave'”.
• Give visitors some choice as to which security question(s) they wish to use. (Sometimes it may be impossible to answer a question, for instance if your father doesn't have a middle name! Or the answer may be too easy for impostors to guess.)

These are just off the top of my head. If anyone has any further suggestions, please feel free to add them.