Best Practices for Choosing Challenge Questions for Bank and Credit Union Web Sites
By Jason Sherrill
Posted on Feb 21, 2008
Today I signed into one of my AT&T accounts and was presented with their risk-based authentication (RBA) setup page. The challenge question choices they presented reminded me how important it is to follow a few simple rules when choosing challenge questions for your users to choose.
Here are the rules:
- Choose questions that don't have a limited number of answers
- Choose questions whose answers aren't likely to change over time
- Choose questions that everyone can answer
- Choose questions that can only be answered one way
Choose Questions That Don't Have Limited Number of Answers
What is your favorite color? While there may be an infinite number of colors in the universe, there are probably five or fewer colors that 80% of the population is likely to tell you are their favorite - red, blue, yellow, orange, green and black. If your application allows someone multiple chances to input an answer, you've just made a hacker's job much easier by asking people to answer a question with such a small pool of likely answers.
Choose Questions Whose Answers Aren't Likely to Change Over Time
Here is the list of questions that the AT&T site presented:
My answers to three of these four questions have changed at least once in the past year. My favorite restaurant changes every six months. My favorite singer? Heck, I can't even answer that question because I don't have one. My favorite actor, today, is a different answer than it was last year. Instead choose questions like, "What is your father's middle name?" Most people don't change their middle names, so that's a fairly static question and has a large universe of possible answers.
Offer Questions That Everyone Can Answer
I don't own a dog, nor a cat, nor a bird. I own fish, but I don't name my fish. I realize that I'm a minority since millions of people in the U.S. own a pet with a name. But it's still a question that I can't answer. I also don't have a childhood hero, at least not that I remember, so I can't answer that question either. Not too long ago I visited a bank website that provided four questions for me to choose. I don't remember all of the questions, but three of the four I could not answer, and they made me choose two. So I had to make up an answer to one of them, but I'll guarantee you that I won't remember the answer when the site asks me again in a month.
Choose Questions That Users Can Only Answer One Way
- What is your sibling's name?
- What was your first car?
If you have more than one sibling, you may not remember which sibling's name you used when you answered that question. A better question would be, "What is the name of your oldest sibling?" Likewise, an improvement to the second question would be "What was the make of your first car?" or "What was the model of your first car?"
Example Questions You May Consider Using
- What is your father's middle name?
- What is your mother's maiden name?
- What is your maternal grandmother's maiden name?
- What is your cell phone's SIM card ID number? (careful, this could change often for some users)
- What was the model of your first car?