[developer2]

The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.

These are supposed to be the very last line of defense for security, including if lose your password manager. As an exaggerated analogy, imagine that being unable to answer these questions meant your house, car, and life savings are taken from you. That is how important these answers are, except you're "only" losing one online account at a time.

Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere. The reason behind why security questions exist is a good one, but they don't offer enough security when used as intended (memorable, non-random data). The problem is there is currently no better alternative, short of requiring you to tie your legal identity to every account, and having to show up in person with photo ID to regain control of an account you've lost access to.

Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.

[marcosdumay]

Hum... I'd say that the entire point of security question is that incompetent people can appease non-technical bosses by claiming that they follow best practices.

Where they stand at the security line is irrelevant, because their mere existence on a place is already a symptom of a deep level of incompetence and an almost sure prediction of a compromised system. Besides, security is usually chain-like (compromise one node and it's broken), not army-like (compromise one node and you'll have to fight the next).

Besides, most people do not have a favorite color, do not remember the name of their 3rd grade teacher, and have severe doubts about what counts as their "first" pet. Yes, they are intended into solving a real problem, but nothing about them survives any amount of questioning.

[andrewem]

The problem is that anything which you remember that well is likely to be discoverable by other people. For instance, if someone's mother is dead there's a good chance that her obituary will be online and list the names of her children and her maiden name. Likewise, you could find the name of a person's elementary school via looking at their posts on Facebook in many cases - or if not their posts, then their siblings or their friends. So these kinds of questions are hardly a great proof of identity if it can be found online with a bit of searching.

[wpietri]

That might have been the theory of security questions early on. But by now I'm sure I've filled out security questions dozens of times. Whatever the intent, from my perspective as a user, they're in the "speed bump" category of security.

For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.

[pktgen]

> For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.

This is a great idea. Not only can the police verify that a given photo ID matches the person in front of them, they can also verify that the ID is valid and unaltered by verifying that the details on the ID match the details in the DMV's database, eliminating fake IDs from being an issue. This wouldn't be 100% perfect -- maybe a really determined ID thief could get the DMV to issue them an ID in someone else's name -- but it would dramatically increase the risk and makes ID theft much harder to scale.

A federal effort to standardize an identity verification service across federal and local offices nationwide would be helpful. The service should be available to any entity (not only banks or financial entities) who wishes to verify the identity of a counterparty. The process and fee should be standardized nationwide, with the fee being break-even and paid by the entity requesting the verification.

Post offices are a good candidate to offer such a service, but would need some work to set up (unlike police agencies, I presume post offices don't have access to DMV databases).

[developer2]

The idea sounds nice in theory, but the only reason any administration would implement this would be to remove anonymity from the internet. Your ability to recover accounts would just be a side effect of the system designed to allow the government to track everything you do.

[htnaoerc34]

> This wouldn't be 100% perfect -- maybe a really determined ID thief could get the DMV to issue them an ID in someone else's name

This is much more common than you might think. I believe in Illinois there was some sort of ongoing problem with people at the DMV selling licenses to truckers who didn't actually pass their tests[0]. I'm sure any criminal with a wad of cash could get them to make a fake ID.

[0]: http://www.chicagotribune.com/news/chi-991009license-story.h...

[wpietri]

This is true, but I think there's an important distinction.

Driving a truck is generally legal. Stealing somebody's life savings generally isn't.

This matters because once an underqualified truck driver is on the road, they're going to be hard to distinguish from a normal truck driver. You have to issue a lot of licenses before the pattern of fake licenses becomes obvious enough to trigger an investigation.

Granting fake licenses for serious theft, though, is another matter. Every single one of those will trigger a police investigation. It's much higher risk, meaning it'd be very hard to sustain an ongoing business in fake licenses for theft.

[Fnoord]

> The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.

With a password manager such as Lastpass or 1Password you only need one very strong password you as human can remember. The passwords it manages don't need to be human-rememberable. They can have as high entropy as allowed.

> Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.

2FA of the strong password plus physical OTP (like YubiKey) with one backup key is more than suffice. Sure, its not 3 letter agency proof. They can easily break in your house and steal your backup key temporarily, whilst recording you typing in your password, or catching you on the go. But against most criminals (a much more common vector for the general public) this is going to work just fine.

[kelnos]

> These are supposed to be the very last line of defense for security, including if lose your password manager.

Security questions aren't for security, they're against it. They're a tradeoff between security and usability, in the direction of usability. Assuming you answer security questions truthfully, they weaken the security of your account. It's like having multi-factor authentication, but instead of requiring all the factors, they just require any one of them. That's not necessarily a bad thing, as long as it doesn't weaken the security so much that it's easy to break.

> Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere.

And here's the problem. Many/most sites that use security questions have a dropdown list of acceptable questions and don't let you enter your own. Often the only thing you can do to avoid making your account easily compromised is to make up answers to some of the questions.

The downside, is, of course, the usual downside with security tradeoffs that favor the security side of the equation: you may be completely unable to access your account again if you screw this up. And that's also not necessarily a bad thing, if you believe compromise to be a really bad outcome. I think it might be ok to do this for, say, a bank or brokerage account. If you manage to fully and truly lock yourself out online, likely you'll still be able to prove who you are and gain access through some means like visiting a physical branch and showing them your ID. A hassle, to be sure, but if it means that much to you, it might be worth it.

In the end, social engineering is still the biggest problem: other posters in this thread have claimed that they've gotten past the security questions by saying things like "oh, I just mashed the keyboard, that's why my answer is gibberish", or something like that. So there's no way to win, unless perhaps you invent plausible (but incorrect) answers to the questions. "Mother's maiden name? Well, it's actually Jones but I'm going to put in Smith." I imagine a talented social engineer might still be able to get past that, but at some point you just have to acknowledge you've done the best you can.

[Dylan16807]

> The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory

And it's a shame to lose that feature, but they compromise your security so terribly that you're far better off not using them.

> it is possible to lose them - and that is unacceptable

Ten steps forward, two steps back. I find that acceptable.

[PretzelFisch]

why not just offer a snail mail reset?