[makecheck]

If there’s one thing that needs to go away ASAP, it’s “security” questions. They are so time-consuming, they increase the amount of information shared with 3rd parties, and the quotes I used are intentional because the questions provide no security whatsoever. Quite the opposite: these questions simply force people to share more information than they should be required to share, and (for most people who don’t think to lie) it increases the chance that sensitive secrets will be revealed and used to impersonate people.

It’s even worse when these “security” questions are coupled with the “Monday-Friday, 9-5 ET” phone numbers. I once had a mobile login “lock out my account” on a Friday night and I was informed that I could not unlock it without calling one of those numbers and answering my “security” questions. So instead of having access as a customer, I had over two full days of nothing, followed by the obligation to find time to call these people, followed by the awkward process of wondering if I would even remember the damned questions or answers. Every last bit of that process is broken, wrong, unnecessary, adds no security, and disrespects customers.

And in case you think account-lockouts are any better, consider that it is TRIVIAL to use this as an attack. Someone you don’t like? Odds are you can find their E-mail log-in. “Guess” their password 3 times, and they can’t access their account at all for some extremely-inconvenient length of time. Ever-increasing delays between log-in attempts work just fine as an alternative to lockouts.