I was just asked two security questions by Apple after trying to buy an app. Apple says it’s the first app on this device, but what they really mean is “the first app on this device with iOS7”. I didn’t know the answer to any of them so I now have to reset them and who knows what else.
I have no idea who decided that security questions were a good idea in the first place. The answer to the question can usually either be easily researched (maiden names, first teachers, first cars,…) or hard to remember. The first one is a problem because then they don’t really provide any security, only add friction to the process.
Remembering the answers is a bigger problem because of a few reasons. Some of the questions are hard to answer in the first place – I for one have no idea what my first concert was and even if I think about it I have no idea if when setting the answer I thought the one at school counts or was it the first one I bought tickets for myself, which band did I write or did I wrote all of them in what order and in what form. Geographic questions are also much fun because you never know how local your answer was – was it the street, town, county, state,… And because of the first issue, the easily researched questions get tricky answers that you never again remember unless they are really obvious, which again makes them easily breakable.
I can see some value in these kinds of questions when there is a person on the other side, but only if that person is trained to recognize people that make up stories and lie. But this doesn’t happen very often.
So if you want something to be secure, make users select stronger passwords. Don’t add shit that doesn’t add security but problems.